carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
moon::expect-connection rw-allow
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS=
-
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
}
post-auth {
+ if (control:TNC-Status == "Access") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "allow"
+ }
+ }
+ elsif (control:TNC-Status == "Isolate") {
+ update reply {
+ Tunnel-Type := ESP
+ Filter-Id := "isolate"
+ }
+ }
+
Post-Auth-Type REJECT {
attr_filter.access_reject
}
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
- debug_level = 3
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
+ debug_level = 3
assessment_result = no
plugins {
- imv-scanner {
- closed_port_policy = no
- tcp_ports = 80 443
- }
+ imv-test {
+ rounds = 1
+ }
}
}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
libimcv {
plugins {
+ imc-test {
+ command = none
+ }
imc-scanner {
push_info = no
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
- server = PH_IP_ALICE
+ server = 10.1.0.10
+ filter_id = yes
}
}
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ }
+ children {
+ rw {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second
alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second
alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
# All guest instances that are required for this test
#
-VIRTHOSTS="alice moon carol winnetou dave"
+VIRTHOSTS="alice venus moon carol winnetou dave"
# Corresponding block diagram
#
-DIAGRAM="a-m-c-w-d.png"
+DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
}
}
-}
-
-libimcv {
plugins {
- imc-test {
- command = allow
+ eap-tnc {
+ protocol = tnccs-1.1
}
}
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = openssl curl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce openssl pem pkcs1 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
-
retransmit_tries = 5
- plugins {
- eap-tnc {
- protocol = tnccs-1.1
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
}
}
-}
-
-libimcv {
plugins {
- imc-test {
- command = allow
- }
- imc-scanner {
- push_info = no
+ eap-tnc {
+ protocol = tnccs-1.1
}
}
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-ecp256
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce openssl pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
- server = PH_IP_ALICE
+ server = 10.1.0.10
filter_id = yes
}
}
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-ecp256
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-dave::ipsec start
-carol::ipsec start
-dave::expect-connection home
-dave::ipsec up home
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
+dave::expect-connection home
+dave::swanctl --initiate --child home
alice::ipsec attest --sessions
alice::ipsec attest --devices
# Guest instances on which databases are used
#
DBHOSTS="alice"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
assessment_result = no
plugins {
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- rightauth=pubkey
- aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap
+ aaa_id = aaa.strongswan.org
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-radius updown
+
multiple_authentication=no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
plugins {
eap-radius {
secret = gv6URkSs
- server = PH_IP_ALICE
+ server = 10.1.0.10
filter_id = yes
}
}
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-radius
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
alice::killall radiusd
alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second
moon::iptables-restore < /etc/iptables.flush
alice::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
assessment_result = no
plugins {
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
plugins {
imc-test {
--- /dev/null
+# The strongSwan IMCs are loaded by the WPA supplicant
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
# /etc/strongswan.conf - strongSwan configuration file
libimcv {
+ load = random nonce sha1 sha2 md5 gmp pubkey x509
debug_level = 3
plugins {
imc-test {
--- /dev/null
+# The strongSwan IMCs are loaded by the WPA supplicant
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=pubkey
- leftfirewall=yes
- rightauth=eap-radius
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
+++ /dev/null
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow RADIUS protocol with alice
--A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
--A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-COMMIT
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
- multiple_authentication=no
- plugins {
- eap-radius {
- secret = gv6URkSs
- server = PH_IP_ALICE
- filter_id = yes
- }
- }
-}
# Guest instances on which tcpdump is to be started
#
-TCPDUMPHOSTS="moon"
+TCPDUMPHOSTS=
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="moon carol dave"
+IPSECHOSTS="carol dave"
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS="alice"
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+ load = random nonce aes sha1 sha2 md5 gmp hmac pem pkcs1 x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
+
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw::NO
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = de, en
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru, fr, en
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-scanner {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-eap
- left=PH_IP_MOON
- leftsubnet=10.1.0.0/16
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
-libimcv {
- plugins {
- imv-scanner {
- closed_port_policy = yes
- tcp_ports = 22
- udp_ports = 500 4500
- }
- }
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ certs = moonCert.pem
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ }
+ children {
+ rw {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
-dave::/etc/init.d/apache2 stop 2> /dev/null
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-dave::/etc/init.d/apache2 start 2> /dev/null
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru , de, en
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnccs-20 {
tests {
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
plugins {
tnc-imc {
preferred_language = ru, pl , de
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imc-test {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-carol::ipsec stop
-dave::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 3
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
libimcv {
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 3"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 3
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
}
}
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
+}
+
libimcv {
plugins {
imv-test {
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-carol::ipsec stop
-moon::ipsec stop
+carol::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.rules
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
-moon::ipsec start
-carol::ipsec start
+carol::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Quarantined::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
-moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-allow.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-allow.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-isolate.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*rw-isolate.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+carol::ping -c 1 -W 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-
+dave:: ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_CAROL
- leftid=carol@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol@strongswan.org : EAP "Ar3etTnp"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imc 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn home
- left=PH_IP_DAVE
- leftid=dave@strongswan.org
- leftauth=eap
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightauth=any
- rightsendcert=never
- rightsubnet=10.1.0.0/16
- auto=add
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imc = 2
+ }
+ }
+}
+
+libtls {
+ suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
--- /dev/null
+#! /bin/sh
+### BEGIN INIT INFO
+# Provides: charon
+# Required-Start: $remote_fs $syslog
+# Required-Stop: $remote_fs $syslog
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: strongSwan charon IKE daemon
+# Description: with swanctl the strongSwan charon daemon must be
+# running in the background
+### END INIT INFO
+
+# Author: Andreas Steffen <andreas.steffen@strongswa.org>
+#
+# Do NOT "set -e"
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin
+DESC="strongSwan charon IKE daemon"
+NAME=charon
+DAEMON=/usr/local/libexec/ipsec/$NAME
+DAEMON_ARGS=""
+PIDFILE=/var/run/$NAME.pid
+SCRIPTNAME=/etc/init.d/charon
+
+export LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties
+
+# Exit if the package is not installed
+[ -x "$DAEMON" ] || exit 0
+
+# Read configuration variable file if it is present
+[ -r /etc/default/$NAME ] && . /etc/default/$NAME
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+#
+# Function that starts the daemon/service
+#
+do_start()
+{
+ # Return
+ # 0 if daemon has been started
+ # 1 if daemon was already running
+ # 2 if daemon could not be started
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON --test > /dev/null \
+ || return 1
+ start-stop-daemon --start --quiet --background --pidfile $PIDFILE --exec $DAEMON -- \
+ $DAEMON_ARGS \
+ || return 2
+ # Add code here, if necessary, that waits for the process to be ready
+ # to handle requests from services started subsequently which depend
+ # on this one. As a last resort, sleep for some time.
+}
+
+#
+# Function that stops the daemon/service
+#
+do_stop()
+{
+ # Return
+ # 0 if daemon has been stopped
+ # 1 if daemon was already stopped
+ # 2 if daemon could not be stopped
+ # other if a failure occurred
+ start-stop-daemon --stop --quiet --retry=TERM/30/KILL/5 --pidfile $PIDFILE --name $NAME
+ RETVAL="$?"
+ [ "$RETVAL" = 2 ] && return 2
+ # Wait for children to finish too if this is a daemon that forks
+ # and if the daemon is only ever run from this initscript.
+ # If the above conditions are not satisfied then add some other code
+ # that waits for the process to drop all resources that could be
+ # needed by services started subsequently. A last resort is to
+ # sleep for some time.
+ start-stop-daemon --stop --quiet --oknodo --retry=0/30/KILL/5 --exec $DAEMON
+ [ "$?" = 2 ] && return 2
+ # Many daemons don't delete their pidfiles when they exit.
+ rm -f $PIDFILE
+ return "$RETVAL"
+}
+
+#
+# Function that sends a SIGHUP to the daemon/service
+#
+do_reload() {
+ #
+ # If the daemon can reload its configuration without
+ # restarting (for example, when it is sent a SIGHUP),
+ # then implement that here.
+ #
+ start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
+ return 0
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ ;;
+ status)
+ status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
+ ;;
+ #reload|force-reload)
+ #
+ # If do_reload() is not implemented then leave this commented out
+ # and leave 'force-reload' as an alias for 'restart'.
+ #
+ #log_daemon_msg "Reloading $DESC" "$NAME"
+ #do_reload
+ #log_end_msg $?
+ #;;
+ restart|force-reload)
+ #
+ # If the "reload" option is implemented then remove the
+ # 'force-reload' alias
+ #
+ log_daemon_msg "Restarting $DESC" "$NAME"
+ do_stop
+ case "$?" in
+ 0|1)
+ do_start
+ case "$?" in
+ 0) log_end_msg 0 ;;
+ 1) log_end_msg 1 ;; # Old process is still running
+ *) log_end_msg 1 ;; # Failed to start
+ esac
+ ;;
+ *)
+ # Failed to stop
+ log_end_msg 1
+ ;;
+ esac
+ ;;
+ *)
+ #echo "Usage: $SCRIPTNAME {start|stop|restart|reload|force-reload}" >&2
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 3, imv 2"
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
-
-conn rw-allow
- rightgroups=allow
- leftsubnet=10.1.0.0/28
- also=rw-eap
- auto=add
-
-conn rw-isolate
- rightgroups=isolate
- leftsubnet=10.1.0.16/28
- also=rw-eap
- auto=add
-
-conn rw-eap
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftauth=eap-ttls
- leftfirewall=yes
- rightauth=eap-ttls
- rightid=*@strongswan.org
- rightsendcert=never
- right=%any
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
-
-carol@strongswan.org : EAP "Ar3etTnp"
-dave@strongswan.org : EAP "W7R0g3do"
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp hmac x509 revocation curl vici kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication = no
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ tnc = 3
+ imv = 2
+ }
+ }
plugins {
eap-ttls {
phase2_method = md5
--- /dev/null
+connections {
+
+ rw-allow {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = allow
+ }
+ children {
+ rw-allow {
+ local_ts = 10.1.0.0/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+
+ rw-isolate {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = eap-ttls
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = eap-ttls
+ id = *@strongswan.org
+ groups = isolate
+ }
+ children {
+ rw-isolate {
+ local_ts = 10.1.0.16/28
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm16-modp3072
+ }
+ }
+ version = 2
+ send_certreq = no
+ proposals = aes128-sha256-modp3072
+ }
+}
+
+secrets {
+
+ eap-carol {
+ id = carol@strongswan.org
+ secret = "Ar3etTnp"
+ }
+ eap-dave {
+ id = dave@strongswan.org
+ secret = "W7R0g3do"
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::service charon stop
+dave::service charon stop
+moon::service charon stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
dave::cat /etc/tnc_config
carol::cat /etc/tnc/dummyimc.file
dave::cat /etc/tnc/dummyimc.file
-moon::cat /etc/tnc/dummyimv.policy
-moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
-dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start
+carol::rm /etc/swanctl/rsa/*
+dave::rm /etc/swanctl/rsa/*
+carol::rm /etc/swanctl/x509/*
+dave::rm /etc/swanctl/x509/*
+moon::service charon start
+carol::service charon start
+dave::service charon start
moon::expect-connection rw-allow
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
#
RADIUSHOSTS=
+# charon controlled by swanctl
+#
+SWANCTL=1
alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
- charondebug="tnc 2, imv 3"
-
-conn aaa
- leftcert=aaaCert.pem
- leftid=aaa.strongswan.org
- auto=add
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIEIDCCAwigAwIBAgIBMzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTE1MDgwNDE0NTUzMVoXDTE5MDkwNjE0NTUzMVowRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALcX
-z9IzPMGarSbzZmGq/lpgeRpM2W5uN9QuWFqUnP+L4wjF5Yf+1bhj5DnrhKlOCjii
-95dDkLdRMYe+4ovXpINF//+J9d9nyP4YNLClUTwivBwvJdC3cJyyzSO7juTm2GNS
-rQFZw3iP3HxWy1dM9/P1+xlgqSou6HJlTDWpaQ+cO3P/WlYKTu9DvTT6/jj4bNS6
-fbiUEG0M0JYcnYSt0iwNWyRHMl2DKjmpibnfhHDNR46t0luSaSobq6A0sRszJ7UR
-dE4Kxl3/HLTX8/+dq3qaFIdhqxXzoZKV6ylBK3+OjTbZw3uBV78qa2TUDuMCQVig
-kkt6delFhC/tSxcIgz0CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBRFNnP26ELy5j7KMOO+a8dh5pLe6DBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
-BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
-Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAsncNPDCCDd4mzIHs
-nHY7b6H1tVQtFSbAQntV06D4D7vOp6Y+M5S8ta50hJu4f4GEeH5c7/hm8gbRdHt/
-TcjlV/UWBfhU3c/hNJo2LpmmtdmYUABLA3rdZ+FzOnAHX9H8eI988G7eHpI9T7L2
-FY2YEnWhIUVjFrojtH2+NbuA/Ori1QwSBiVhvJQgvUPjhKkjUtC+8zIdaCmJFErQ
-GGObpAMtnTcQ74md9BQ791RPMp77tDe1fgm7m8QWIsoIyYEhvzyfk2VTBn1VlWyH
-sbT0Vb3X9ubt0KXn2Xr491WTCpc5rzDWj9CNUYUgW7RaPxgw5cj2HK6oiLnGpO73
-xyr/Qw==
------END CERTIFICATE-----
+++ /dev/null
------BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAtxfP0jM8wZqtJvNmYar+WmB5GkzZbm431C5YWpSc/4vjCMXl
-h/7VuGPkOeuEqU4KOKL3l0OQt1Exh77ii9ekg0X//4n132fI/hg0sKVRPCK8HC8l
-0LdwnLLNI7uO5ObYY1KtAVnDeI/cfFbLV0z38/X7GWCpKi7ocmVMNalpD5w7c/9a
-VgpO70O9NPr+OPhs1Lp9uJQQbQzQlhydhK3SLA1bJEcyXYMqOamJud+EcM1Hjq3S
-W5JpKhuroDSxGzMntRF0TgrGXf8ctNfz/52repoUh2GrFfOhkpXrKUErf46NNtnD
-e4FXvyprZNQO4wJBWKCSS3p16UWEL+1LFwiDPQIDAQABAoIBAQCNeNG0+rA0bF7k
-nOf8CZL1pFuOzdin8nQi+Bh/DRvufVlU+wyrM2ZSTqUXd/sOkuVk889ZyvQ0IYGj
-AQStx1cvs9Pl0OTx1ZDBfVShNWv6imBNasTObB+QhLvro037Yr/KpyRUydY2/vn/
-/VSrRSbGE8gMyNqNZKdpVQo44Ij0bJXxx7kVJ7CfftB65bujkRSK5u7eGjFVyHGs
-P9v4n72Pt0mVdC8yeiMjJAmmKLWaDf7U2SUoaxf0IRjRNPdVBuPjbYjfnJ0sGlxF
-sCQtu+3JQ4b7vyxrAyUtImbTLwvFqQHTGIahZUvhGd/1aO0Zmls1mvuZ+VhUIsek
-uBJh54jFAoGBAN7M08mBkA8oUns0IzzG+A0JYDmdbvOWbKtyQDRl7LkXOq/PckIj
-PoliI/5aNZe9+Q8kq8xnvLVcsup7EX6Ovaqc6S3ODNEjy4XEqGMM9tkrz4R4N5f5
-hLayOg3MfdJiPOn3HF+cVvHp0Vwpt8K5TgVmOWkVSKTa+6eX4mhQUuKjAoGBANJg
-Rmka90zo+7PPze4oo5ePeqwZrwQ3/6OeD/G1lqMFPOgk3MLGuv9HvtQA5gyyAH7+
-Qy/t+rdPSC7PZi29s8/cERmWTdbZ1ocuKa6xxSvktl7Ibv51d0sW1n+kfVin7cLL
-SskoK8BRXjXsZg7jjZjE5f6iqdHq+JPA2JWM10CfAoGAOXTvJScxhIcshjNS5wiU
-zZ/eXd1Y0J65VZl4L0sdujngW5iO6bl3FizmBWE0Mva99QbK+0LBarAGP+wO/elH
-xmkCxVo++exWPyARIMImIqlmsc3i4GFrtUXPLOHQjOHivZ+JhKqnzWk0IaVsi14I
-XeIX6h6gBkum3HiR3b7hMSsCgYEAtq7ftbmy8liG6hgTzTIBDUWM0xHihxlRpnVF
-hzGWw61yvGv2QDVugOt+bH7zRib0g1KsaVyQkMoJ9ownQKUxFdkWCFAa++1iezS9
-AXRhscIEE76dk93RX6VPUrw2FNyOfM8n/BIkG/cMhmroHRnBBd5Fkp8SNLWEclnO
-Od95tCUCgYEAgvohkyZAAKMRUFYEvHgwyxeXHifHVPIoK9UN022DJmIEJE2ISGtH
-yHnBKgF52tlYhC9ijKwMG43C9IvycydRUtViOxDV8AiE4BV1tXuQHLl0jD2R7yq5
-9pNtnYgXW+ZKlx9705ltHj8hhKl6r2I8oXdR9KFGO83wq8fr6tyjqHc=
------END RSA PRIVATE KEY-----
+++ /dev/null
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem