Added charon.initiator_only option which causes charon to ignore IKE initiation reque...
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 14 Apr 2013 17:57:49 +0000 (19:57 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 14 Apr 2013 17:57:49 +0000 (19:57 +0200)
24 files changed:
man/strongswan.conf.5.in
src/libcharon/network/receiver.c
testing/tests/ikev1/rw-initiator-only/description.txt [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/evaltest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/posttest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/pretest.dat [new file with mode: 0644]
testing/tests/ikev1/rw-initiator-only/test.conf [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/description.txt [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/evaltest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/posttest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/pretest.dat [new file with mode: 0644]
testing/tests/ikev2/rw-initiator-only/test.conf [new file with mode: 0644]

index d483add..9d18659 100644 (file)
@@ -203,6 +203,9 @@ IKE_SA_INIT DROPPING).
 Limit new connections based on the number of jobs currently queued for
 processing (see IKE_SA_INIT DROPPING).
 .TP
+.BR charon.initiator_only " [no]"
+Causes charon daemon to ignore IKE initiation requests.
+.TP
 .BR charon.install_routes " [yes]"
 Install routes into a separate routing table for established IPsec tunnels
 .TP
index 6b2c2bf..2ca721a 100644 (file)
@@ -148,6 +148,12 @@ struct private_receiver_t {
         * Delay response messages?
         */
        bool receive_delay_response;
+
+       /**
+        * Endpoint is allowed to act as an initiator only
+        */
+       bool initiator_only;
+
 };
 
 /**
@@ -541,7 +547,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
        if (message->get_request(message) &&
                message->get_exchange_type(message) == IKE_SA_INIT)
        {
-               if (drop_ike_sa_init(this, message))
+               if (this->initiator_only || drop_ike_sa_init(this, message))
                {
                        message->destroy(message);
                        return JOB_REQUEUE_DIRECT;
@@ -552,7 +558,7 @@ static job_requeue_t receive_packets(private_receiver_t *this)
        {
                id = message->get_ike_sa_id(message);
                if (id->get_responder_spi(id) == 0 &&
-                       drop_ike_sa_init(this, message))
+                  (this->initiator_only || drop_ike_sa_init(this, message)))
                {
                        message->destroy(message);
                        return JOB_REQUEUE_DIRECT;
@@ -650,6 +656,8 @@ receiver_t *receiver_create()
                                "%s.receive_delay_request", TRUE, charon->name),
        this->receive_delay_response = lib->settings->get_bool(lib->settings,
                                "%s.receive_delay_response", TRUE, charon->name),
+       this->initiator_only = lib->settings->get_bool(lib->settings,
+                               "%s.initiator_only", FALSE, charon->name),
 
        this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED);
        if (!this->hasher)
diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt
new file mode 100644 (file)
index 0000000..4780041
--- /dev/null
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat
new file mode 100644 (file)
index 0000000..80fd7c5
--- /dev/null
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..5891439
--- /dev/null
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev1
+
+conn home
+       left=PH_IP_CAROL
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..dc900c4
--- /dev/null
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..b262ecb
--- /dev/null
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev1
+
+conn peer
+       left=PH_IP_DAVE
+       leftcert=daveCert.pem
+       leftid=dave@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_CAROL
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..9251921
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..4c5df88
--- /dev/null
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekey=no
+       keyexchange=ikev1
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       leftfirewall=yes
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..7f31b17
--- /dev/null
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat
new file mode 100644 (file)
index 0000000..1865a1c
--- /dev/null
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat
new file mode 100644 (file)
index 0000000..fc71734
--- /dev/null
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf
new file mode 100644 (file)
index 0000000..f292988
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt
new file mode 100644 (file)
index 0000000..4780041
--- /dev/null
@@ -0,0 +1,10 @@
+The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b>
+but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b>
+she ignores the repeated IKE requests sent by <b>dave</b>.
+<p/>
+After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a
+connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind
+the gateway <b>moon</b>.
diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat
new file mode 100644 (file)
index 0000000..80fd7c5
--- /dev/null
@@ -0,0 +1,8 @@
+dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..dd2ceea
--- /dev/null
@@ -0,0 +1,20 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_CAROL
+       leftcert=carolCert.pem
+       leftid=carol@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..dc900c4
--- /dev/null
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  initiator_only = yes
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..b417977
--- /dev/null
@@ -0,0 +1,19 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn peer
+       left=PH_IP_DAVE
+       leftcert=daveCert.pem
+       leftid=dave@strongswan.org
+       leftfirewall=yes
+       right=PH_IP_CAROL
+       rightid=carol@strongswan.org
+       auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..9251921
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+
+  retransmit_timeout = 2
+  retransmit_base = 1.5
+  retransmit_tries = 3 
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..b82a44a
--- /dev/null
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekey=no        
+       keyexchange=ikev2
+
+conn rw
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftsubnet=10.1.0.0/16
+       leftfirewall=yes
+       right=%any
+       auto=add
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..7f31b17
--- /dev/null
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+}
diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat
new file mode 100644 (file)
index 0000000..1865a1c
--- /dev/null
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat
new file mode 100644 (file)
index 0000000..fc71734
--- /dev/null
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+dave::ipsec up peer
+carol::ipsec up home
diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf
new file mode 100644 (file)
index 0000000..f292988
--- /dev/null
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"