done
##
+# Levels CA and sub-CAs
+cd /etc/ca/levels
+
+# generate CRLs for Levels CA and sub-CAs
+pki --signcrl --cakey levelsKey.pem --cacert levelsCert.pem \
+ > ${ROOT}/levels.crl
+pki --signcrl --cakey levelsKey_l2.pem --cacert levelsCert_l2.pem \
+ > ${ROOT}/levels_l2.crl
+pki --signcrl --cakey levelsKey_l3.pem --cacert levelsCert_l3.pem \
+ > ${ROOT}/levels_l3.crl
+
+##
# strongSwan EC Root CA
cd /etc/ca/ecdsa
SALES_CERT_DER="${SALES_DIR}/salesCert.der"
SALES_CDP="http://crl.strongswan.org/sales.crl"
#
+LEVELS_DIR="${CA_DIR}/levels"
+LEVELS_KEY="${LEVELS_DIR}/levelsKey.pem"
+LEVELS_CERT="${LEVELS_DIR}/levelsCert.pem"
+LEVELS_CDP="http://crl.strongswan.org/levels.crl"
+LEVELS_L2_KEY="${LEVELS_DIR}/levelsKey_l2.pem"
+LEVELS_L2_CERT="${LEVELS_DIR}/levelsCert_l2.pem"
+LEVELS_L2_CDP="http://crl.strongswan.org/levels_l2.crl"
+LEVELS_L3_KEY="${LEVELS_DIR}/levelsKey_l3.pem"
+LEVELS_L3_CERT="${LEVELS_DIR}/levelsCert_l3.pem"
+LEVELS_L3_CDP="http://crl.strongswan.org/levels_l3.crl"
+#
DUCK_DIR="${CA_DIR}/duck"
DUCK_KEY="${DUCK_DIR}/duckKey.pem"
DUCK_CERT="${DUCK_DIR}/duckCert.pem"
mkdir -p ${RESEARCH_DIR}/keys
mkdir -p ${SALES_DIR}/certs
mkdir -p ${SALES_DIR}/keys
+mkdir -p ${LEVELS_DIR}/certs
mkdir -p ${DUCK_DIR}/certs
mkdir -p ${ECDSA_DIR}/certs
mkdir -p ${RFC3779_DIR}/certs
# Put DER-encoded moon private key and Root CA certificate into tkm scenarios
for t in host2host-initiator host2host-responder host2host-xfrmproxy \
- net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
+ multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
+ xfrmproxy-rekey
do
TEST="${TEST_DIR}/tkm/${t}"
mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
# Convert Sales CA certificate into DER format
openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
+################################################################################
+# Multi-level CA Certificate Generation #
+################################################################################
+
+# Generate Levels Root CA (pathlen is higher than the regular root)
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY}
+pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \
+ --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \
+ --outform pem > ${LEVELS_CERT}
+
+# For TKM's CA ID mapping
+LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}`
+
+# Generate Levels L2 CA signed by Levels Root CA
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY}
+pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \
+ --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \
+ --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \
+ --outform pem > ${LEVELS_L2_CERT}
+
+# Generate Levels L3 CA signed by Levels L2 CA
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY}
+pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \
+ --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \
+ --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \
+ --outform pem > ${LEVELS_L3_CERT}
+
+for t in swanctl/multi-level-ca-l3 tkm/multi-level-ca
+do
+ TEST="${TEST_DIR}/${t}"
+ for h in moon carol
+ do
+ mkdir -p ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+ cp ${LEVELS_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca
+ done
+ cp ${LEVELS_L2_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+ cp ${LEVELS_L3_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+done
+
+# Put DER-encoded Levels CA certificate into tkm scenario
+TEST="${TEST_DIR}/tkm/multi-level-ca"
+mkdir -p ${TEST}/hosts/moon/${TKM_DIR}
+openssl x509 -in ${LEVELS_CERT} -outform der -out ${TEST}/hosts/moon/${TKM_DIR}/levelsCert.der
+
+################################################################################
+
# Generate an AES-128 encrypted moon key and a SHA-224 hashed certificate
TEST="${TEST_DIR}/ikev2/strong-keys-certs"
TEST_KEY="${TEST}/hosts/moon/${IPSEC_DIR}/private/moonKey-aes128.pem"
sed -i -e "s/EE_EXPIRATION/${EE_EXP}/g" ${SALES_DIR}/index.txt
################################################################################
+# Levels L3 CA #
+################################################################################
+
+# Generate a carol l3 certificate
+TEST="${TEST_DIR}/swanctl/multi-level-ca-l3"
+TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem"
+TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem"
+CN="carol@strongswan.org"
+SERIAL="01"
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY}
+pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \
+ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \
+ --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \
+ --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT}
+cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem
+
+for t in tkm/multi-level-ca
+do
+ TEST="${TEST_DIR}/${t}"
+ mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+ mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+ cp ${TEST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
+ cp ${TEST_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509
+done
+
+################################################################################
# strongSwan EC Root CA #
################################################################################
################################################################################
for t in host2host-initiator host2host-responder host2host-xfrmproxy \
- net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey
+ multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \
+ xfrmproxy-rekey
do
for h in moon
do
TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf"
sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \
-e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \
+ -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \
${TEST_DATA}.in > ${TEST_DATA}
done
done
--- /dev/null
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different PKIs. Access to <b>alice</b> is granted
+to users presenting a certificate issued by the Levels Root CA (or any of its
+intermediate CAs) whereas <b>venus</b> can only be reached with a certificate
+issued by the regular strongSwan Root CA.
+The roadwarriors <b>carol</b> and <b>dave</b> have certificates from the
+Levels CA (actually from an second level intermediate CA) and strongSwan CA,
+respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b>
+can reach <b>venus</b>.
--- /dev/null
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels Root CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels_l2.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels L2 CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*levels_l3.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Levels L3 CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::levels.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Levels Root CA::YES
+moon:: cat /var/log/daemon.log::selected peer config.*levels.*unacceptable::YES
+moon:: cat /var/log/daemon.log::switching to peer config.*rw::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::levels.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ cacerts = strongswanCert.pem
+ revocation = strict
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ home {
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ cacerts = strongswanCert.pem
+ revocation = strict
+ }
+ children {
+ alice {
+ remote_ts = 10.1.0.10/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ venus {
+ remote_ts = 10.1.0.20/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+}
--- /dev/null
+connections {
+
+ levels {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ cacerts = levelsCert.pem
+ revocation = ifuri
+ }
+ children {
+ alice {
+ local_ts = 10.1.0.10/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ cacerts = strongswanCert.pem
+ revocation = ifuri
+ }
+ children {
+ venus {
+ local_ts = 10.1.0.20/32
+ esp_proposals = aes128-sha256-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
--- /dev/null
+carol::swanctl --terminate --ike home 2> /dev/null
+dave::swanctl --terminate --ike home 2> /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
--- /dev/null
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
*.der
+*.pem
strongswan.conf
--- /dev/null
+Two transport connections to gateway <b>moon</b> are set up, one from client
+<b>carol</b> and the other from client <b>dave</b>. The gateway <b>moon</b> uses
+the Trusted Key Manager (TKM) and is the responder for both connections. The
+authentication is based on X.509 certificates, where <b>carol</b> uses a
+certificate issued by a multi-level CA. In order to test the connections,
+both <b>carol</b> and <b>dave</b> ping gateway <b>moon</b>.
--- /dev/null
+moon:: swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::conn2.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*conn2.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.100/32] remote-ts=\[192.168.0.1/32]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.200/32] remote-ts=\[192.168.0.1/32]::YES
+carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+dave::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_.eq=1::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+dave::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.100 \]::YES
+moon::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.1 <-> 192.168.0.200 \]::YES
+moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 2::YES
+moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 1::YES
+moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::2
+moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES
+moon::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES
+moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_CAROL
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
--- /dev/null
+connections {
+
+ host-host {
+ local_addrs = PH_IP_DAVE
+ remote_addrs = PH_IP_MOON
+
+ proposals = aes256-sha512-modp4096
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ host-host {
+ mode = transport
+ esp_proposals = aes256-sha512-modp4096
+ }
+ }
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon-tkm {
+ dh_mapping {
+ 15 = 1
+ 16 = 2
+ }
+ ca_mapping {
+ strongswan_ca {
+ id = 1
+ fingerprint = CA_SPK_HEX
+ }
+ levels_ca {
+ id = 2
+ fingerprint = LEVELS_SPK_HEX
+ }
+ }
+ start-scripts {
+ swanctl = /usr/local/sbin/swanctl --load-all --noprompt
+ }
+}
--- /dev/null
+<tkmconfig>
+ <local_identity id="1">
+ <identity>moon.strongswan.org</identity>
+ <certificate>moonCert.pem</certificate>
+ </local_identity>
+ <policy id="1">
+ <mode>transport</mode>
+ <local>
+ <identity_id>1</identity_id>
+ <ip>192.168.0.1</ip>
+ </local>
+ <remote>
+ <identity>carol@strongswan.org</identity>
+ <ip>192.168.0.100</ip>
+ </remote>
+ <lifetime>
+ <soft>30</soft>
+ <hard>60</hard>
+ </lifetime>
+ </policy>
+ <policy id="2">
+ <mode>transport</mode>
+ <local>
+ <identity_id>1</identity_id>
+ <ip>192.168.0.1</ip>
+ </local>
+ <remote>
+ <identity>dave@strongswan.org</identity>
+ <ip>192.168.0.200</ip>
+ </remote>
+ <lifetime>
+ <soft>30</soft>
+ <hard>60</hard>
+ </lifetime>
+ </policy>
+</tkmconfig>
--- /dev/null
+moon::service charon-tkm stop
+moon::killall tkm_keymanager
+moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::rm /etc/swanctl/x509ca/*
+carol::rm /etc/swanctl/x509ca/*
--- /dev/null
+moon::rm /etc/swanctl/rsa/*
+moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/swanctl/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd
+moon::cat /etc/swanctl/swanctl.conf
+moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1,/etc/tkm/levelsCert.der:2 >/tmp/tkm.log 2>&1 &
+moon::expect-file /tmp/tkm.rpc.ike
+moon::service charon-tkm start
+carol::systemctl start strongswan
+carol::expect-connection host-host
+dave::systemctl start strongswan
+dave::expect-connection host-host
+moon::expect-connection conn1
+moon::expect-connection conn2
+carol::swanctl --initiate --child host-host 2> /dev/null
+dave::swanctl --initiate --child host-host 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="carol dave moon winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="carol dave"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave moon"
+
+# charon controlled by swanctl
+#
+SWANCTL=1