[strongSwan] strongSwan, swanctl and systemd]
Prashant
prashantog at gmail.com
Sun Feb 14 09:18:43 CET 2016
SeGw (Secure Gateway) (responder) Rw( Roadwarrior) client (initiator)
SeGw commands:
1. root at calr720-vmprgu1:/home/user# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
2. root at calr720-vmprgu1:/home/user# swanctl --load-all
loaded ike secret 'ike-carol'
loaded ike secret 'ike-dave'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'rw'
successfully loaded 1 connections, 0 unloaded
Roadwarrior commands:
1. root at calr720-vmprgu2:/home/user# ipsec restart
Stopping strongSwan IPsec...
Starting strongSwan 5.3.5 IPsec [starter]...
!! Your strongswan.conf contains manual plugin load options for charon.
!! This is recommended for experts only, see
!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
2. root at calr720-vmprgu2:/home/user# swanctl --load-all
loaded ike secret 'ike-moon'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'home'
successfully loaded 1 connections, 0 unloaded
3. root at calr720-vmprgu2:/home/user# swanctl -i --child home
[IKE] initiating IKE_SA home[1] to 192.168.0.1
...
initiate completed successfully
SeGw swanctl.conf configuration:
root at calr720-vmprgu1:/home/user# cat /usr/local/etc/swanctl/swanctl.conf
connections {
rw {
local_addrs = 192.168.0.1
local {
auth = psk
}
remote {
auth = psk
}
children {
net {
local_ts = 10.1.0.0/16
start_action = none
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 10m
esp_proposals = aes128gcm128-modp2048
}
}
version = 2
reauth_time = 60m
rekey_time = 20m
proposals = aes128-sha256-modp2048
}
}
secrets {
ike-carol {
id = 192.168.0.100
secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
}
ike-dave {
id = 192.168.0.200
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
}
}
SeGw strongswan.conf configuration:
root at calr720-vmprgu1:/home/user# cat /usr/local/etc/strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink
socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
}
Roadwarrior swanctl configuration:
root at calr720-vmprgu2:/home/user# cat /usr/local/etc/swanctl/swanctl.conf
connections {
home {
local_addrs = 192.168.0.200
remote_addrs = 192.168.0.1
local {
auth = psk
id = 192.168.0.200
}
remote {
auth = psk
id = 192.168.0.1
}
children {
home {
remote_ts = 10.1.0.0/16
start_action = none
updown = /usr/local/libexec/ipsec/_updown iptables
rekey_time = 10m
esp_proposals = aes128gcm128-modp2048
}
}
version = 2
reauth_time = 60m
rekey_time = 20m
proposals = aes128-sha256-modp2048
}
}
secrets {
ike-moon {
id = 192.168.0.1
secret = 0sjVzONCF02ncsgiSlmIXeqhGN
}
}
Roadwarrior strongswan configuration:
root at calr720-vmprgu2:/home/user# cat /usr/local/etc/strongswan.conf
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
load = pem pkcs1 x509 revocation constraints pubkey openssl random
}
charon {
load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink
socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
conns = /usr/local/sbin/swanctl --load-conns
}
}
SeGw Stats:
root at calr720-vmprgu1:/home/user# swanctl --stats
uptime: 2 minutes, since Feb 14 12:45:47 2016
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 4
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 2424832, mmap 0, used 204112, free 2220720
root at calr720-vmprgu1:/home/user# swanctl --list-conns
rw: IKEv2
local: 192.168.0.1
remote: %any
local pre-shared key authentication:
remote pre-shared key authentication:
net: TUNNEL
local: 10.1.0.0/16
remote: dynamic
root at calr720-vmprgu1:/home/user# swanctl --list-sas
rw: #2, ESTABLISHED, IKEv2, 16cd98c6c2d2dd33:bb7c2f2b27a2dd2c
local '192.168.0.1' @ 192.168.0.1
remote '192.168.0.200' @ 192.168.0.200
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 28s ago, rekeying in 950s, reauth in 3522s
net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
installed 28s ago, rekeying in 513s, expires in 632s
in ccc4a0d1, 0 bytes, 0 packets
out ca6cb230, 0 bytes, 0 packets
local 10.1.0.0/16
remote 192.168.0.200/32
root at calr720-vmprgu1:/home/user# ifconfig
eth1 Link encap:Ethernet HWaddr 52:54:00:a9:28:17
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fea9:2817/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:76475598 errors:0 dropped:1 overruns:0 frame:0
TX packets:2969 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4138352202 (4.1 GB) TX bytes:298427 (298.4 KB)
eth2 Link encap:Ethernet HWaddr 52:54:00:6f:8d:a6
inet addr:10.1.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::5054:ff:fe6f:8da6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:61407 errors:0 dropped:0 overruns:0 frame:0
TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10872695 (10.8 MB) TX bytes:578 (578.0 B)
Roadwarrior Stats:
root at calr720-vmprgu2:/home/user# swanctl --stats
uptime: 108 seconds, since Feb 14 12:38:03 2016
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 4
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 2424832, mmap 0, used 202608, free 2222224
root at calr720-vmprgu2:/home/user#
root at calr720-vmprgu2:/home/user#
root at calr720-vmprgu2:/home/user# swanctl --list-conns
home: IKEv2
local: 192.168.0.200
remote: 192.168.0.1
local pre-shared key authentication:
id: 192.168.0.200
remote pre-shared key authentication:
id: 192.168.0.1
home: TUNNEL
local: dynamic
remote: 10.1.0.0/16
root at calr720-vmprgu2:/home/user# swanctl --list-sas
home: #1, ESTABLISHED, IKEv2, 0fd28b802869b55a:d40338e7b3bfd4e6
local '192.168.0.200' @ 192.168.0.200
remote '192.168.0.1' @ 192.168.0.1
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
established 158s ago, rekeying in 749s, reauth in 2777s
home: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
installed 177s ago, rekeying in 437s, expires in 503s
in cd324ab9, 0 bytes, 0 packets
out c2177512, 0 bytes, 0 packets
local 192.168.0.200/32
remote 10.1.0.0/16
root at calr720-vmprgu2:/home/user# ifconfig
eth1 Link encap:Ethernet HWaddr 52:54:00:76:ae:5f
inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe76:ae5f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21641 errors:0 dropped:0 overruns:0 frame:0
TX packets:951 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3770035 (3.7 MB) TX bytes:124285 (124.2 KB)
Roadwarrior->SeGw Traffic: (pinging to subnet behind SeGw):(packet capture
attached - strongswan-swanctl.pcap)
root at calr720-vmprgu2:/home/user# ping 10.1.0.11 -n 5
PING 5 (0.0.0.5) 56(124) bytes of data.
13:13:00.547988 IP 192.168.0.200 > 192.168.0.1:
ESP(spi=0xc2118038,seq=0x41), length 128
13:13:01.545795 IP 192.168.0.200 > 192.168.0.1:
ESP(spi=0xc2118038,seq=0x42), length 128
Roadwarrior Logs:
root at calr720-vmprgu2:/home/user# swanctl -i --child home
[IKE] initiating IKE_SA home[1] to 192.168.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
[NET] sending packet: from 192.168.0.200[500] to 192.168.0.1[500] (448 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.200[500] (456 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) N(MULT_AUTH) ]
[IKE] authentication of '192.168.0.200' (myself) with pre-shared key
[IKE] establishing CHILD_SA home
[ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP)
N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (256 bytes)
[IKE] retransmit 1 of request with message ID 1
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (256 bytes)
[IKE] retransmit 2 of request with message ID 1
[NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (256 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (256 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT)
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
[IKE] authentication of '192.168.0.1' with pre-shared key successful
[IKE] IKE_SA home[1] established between
192.168.0.200[192.168.0.200]...192.168.0.1[192.168.0.1]
[IKE] scheduling rekeying in 907s
[IKE] scheduling reauthentication in 3403s
[IKE] maximum IKE_SA lifetime 1267s
[IKE] CHILD_SA home{1} established with SPIs cd324ab9_i c2177512_o and TS
192.168.0.200/32 === 10.1.0.0/16
[IKE] received AUTH_LIFETIME of 3294s, scheduling reauthentication in 2934s
[IKE] peer supports MOBIKE
initiate completed successfully
root at calr720-vmprgu2:/home/user# swanctl --stats
uptime: 108 seconds, since Feb 14 12:38:03 2016
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 4
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 2424832, mmap 0, used 202608, free 2222224
root at calr720-vmprgu2:/home/user#
root at calr720-vmprgu2:/home/user#
Note:
./configure --enable-swanctl (swanctl plugin needs to be installed first to
use swanctl).
Reference: Topology, configuration :
https://www.strongswan.org/uml/testresults/swanctl/rw-psk-ipv4/index.html
More information about the Users
mailing list