SeGw (Secure Gateway) (responder) Rw( Roadwarrior) client (initiator) SeGw commands:
1. root@calr720-vmprgu1:/home/user# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.3.5 IPsec [starter]... !! Your strongswan.conf contains manual plugin load options for charon. !! This is recommended for experts only, see !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad 2. root@calr720-vmprgu1:/home/user# swanctl --load-all loaded ike secret 'ike-carol' loaded ike secret 'ike-dave' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'rw' successfully loaded 1 connections, 0 unloaded Roadwarrior commands: 1. root@calr720-vmprgu2:/home/user# ipsec restart Stopping strongSwan IPsec... Starting strongSwan 5.3.5 IPsec [starter]... !! Your strongswan.conf contains manual plugin load options for charon. !! This is recommended for experts only, see !! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad 2. root@calr720-vmprgu2:/home/user# swanctl --load-all loaded ike secret 'ike-moon' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'home' successfully loaded 1 connections, 0 unloaded 3. root@calr720-vmprgu2:/home/user# swanctl -i --child home [IKE] initiating IKE_SA home[1] to 192.168.0.1 ... initiate completed successfully SeGw swanctl.conf configuration: root@calr720-vmprgu1:/home/user# cat /usr/local/etc/swanctl/swanctl.conf connections { rw { local_addrs = 192.168.0.1 local { auth = psk } remote { auth = psk } children { net { local_ts = 10.1.0.0/16 start_action = none updown = /usr/local/libexec/ipsec/_updown iptables rekey_time = 10m esp_proposals = aes128gcm128-modp2048 } } version = 2 reauth_time = 60m rekey_time = 20m proposals = aes128-sha256-modp2048 } } secrets { ike-carol { id = 192.168.0.100 secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx } ike-dave { id = 192.168.0.200 secret = 0sjVzONCF02ncsgiSlmIXeqhGN } } SeGw strongswan.conf configuration: root@calr720-vmprgu1:/home/user# cat /usr/local/etc/strongswan.conf # /etc/strongswan.conf - strongSwan configuration file swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } charon { load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici start-scripts { creds = /usr/local/sbin/swanctl --load-creds conns = /usr/local/sbin/swanctl --load-conns } } Roadwarrior swanctl configuration: root@calr720-vmprgu2:/home/user# cat /usr/local/etc/swanctl/swanctl.conf connections { home { local_addrs = 192.168.0.200 remote_addrs = 192.168.0.1 local { auth = psk id = 192.168.0.200 } remote { auth = psk id = 192.168.0.1 } children { home { remote_ts = 10.1.0.0/16 start_action = none updown = /usr/local/libexec/ipsec/_updown iptables rekey_time = 10m esp_proposals = aes128gcm128-modp2048 } } version = 2 reauth_time = 60m rekey_time = 20m proposals = aes128-sha256-modp2048 } } secrets { ike-moon { id = 192.168.0.1 secret = 0sjVzONCF02ncsgiSlmIXeqhGN } } Roadwarrior strongswan configuration: root@calr720-vmprgu2:/home/user# cat /usr/local/etc/strongswan.conf # /etc/strongswan.conf - strongSwan configuration file swanctl { load = pem pkcs1 x509 revocation constraints pubkey openssl random } charon { load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici start-scripts { creds = /usr/local/sbin/swanctl --load-creds conns = /usr/local/sbin/swanctl --load-conns } } SeGw Stats: root@calr720-vmprgu1:/home/user# swanctl --stats uptime: 2 minutes, since Feb 14 12:45:47 2016 worker threads: 16 total, 11 idle, working: 4/0/1/0 job queues: 0/0/0/0 jobs scheduled: 4 IKE_SAs: 1 total, 0 half-open mallinfo: sbrk 2424832, mmap 0, used 204112, free 2220720 root@calr720-vmprgu1:/home/user# swanctl --list-conns rw: IKEv2 local: 192.168.0.1 remote: %any local pre-shared key authentication: remote pre-shared key authentication: net: TUNNEL local: 10.1.0.0/16 remote: dynamic root@calr720-vmprgu1:/home/user# swanctl --list-sas rw: #2, ESTABLISHED, IKEv2, 16cd98c6c2d2dd33:bb7c2f2b27a2dd2c local '192.168.0.1' @ 192.168.0.1 remote '192.168.0.200' @ 192.168.0.200 AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 28s ago, rekeying in 950s, reauth in 3522s net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128 installed 28s ago, rekeying in 513s, expires in 632s in ccc4a0d1, 0 bytes, 0 packets out ca6cb230, 0 bytes, 0 packets local 10.1.0.0/16 remote 192.168.0.200/32 root@calr720-vmprgu1:/home/user# ifconfig eth1 Link encap:Ethernet HWaddr 52:54:00:a9:28:17 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fea9:2817/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:76475598 errors:0 dropped:1 overruns:0 frame:0 TX packets:2969 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4138352202 (4.1 GB) TX bytes:298427 (298.4 KB) eth2 Link encap:Ethernet HWaddr 52:54:00:6f:8d:a6 inet addr:10.1.0.1 Bcast:10.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::5054:ff:fe6f:8da6/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:61407 errors:0 dropped:0 overruns:0 frame:0 TX packets:7 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:10872695 (10.8 MB) TX bytes:578 (578.0 B) Roadwarrior Stats: root@calr720-vmprgu2:/home/user# swanctl --stats uptime: 108 seconds, since Feb 14 12:38:03 2016 worker threads: 16 total, 11 idle, working: 4/0/1/0 job queues: 0/0/0/0 jobs scheduled: 4 IKE_SAs: 1 total, 0 half-open mallinfo: sbrk 2424832, mmap 0, used 202608, free 2222224 root@calr720-vmprgu2:/home/user# root@calr720-vmprgu2:/home/user# root@calr720-vmprgu2:/home/user# swanctl --list-conns home: IKEv2 local: 192.168.0.200 remote: 192.168.0.1 local pre-shared key authentication: id: 192.168.0.200 remote pre-shared key authentication: id: 192.168.0.1 home: TUNNEL local: dynamic remote: 10.1.0.0/16 root@calr720-vmprgu2:/home/user# swanctl --list-sas home: #1, ESTABLISHED, IKEv2, 0fd28b802869b55a:d40338e7b3bfd4e6 local '192.168.0.200' @ 192.168.0.200 remote '192.168.0.1' @ 192.168.0.1 AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 established 158s ago, rekeying in 749s, reauth in 2777s home: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128 installed 177s ago, rekeying in 437s, expires in 503s in cd324ab9, 0 bytes, 0 packets out c2177512, 0 bytes, 0 packets local 192.168.0.200/32 remote 10.1.0.0/16 root@calr720-vmprgu2:/home/user# ifconfig eth1 Link encap:Ethernet HWaddr 52:54:00:76:ae:5f inet addr:192.168.0.200 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::5054:ff:fe76:ae5f/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:21641 errors:0 dropped:0 overruns:0 frame:0 TX packets:951 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3770035 (3.7 MB) TX bytes:124285 (124.2 KB) Roadwarrior->SeGw Traffic: (pinging to subnet behind SeGw):(packet capture attached - strongswan-swanctl.pcap) root@calr720-vmprgu2:/home/user# ping 10.1.0.11 -n 5 PING 5 (0.0.0.5) 56(124) bytes of data. 13:13:00.547988 IP 192.168.0.200 > 192.168.0.1: ESP(spi=0xc2118038,seq=0x41), length 128 13:13:01.545795 IP 192.168.0.200 > 192.168.0.1: ESP(spi=0xc2118038,seq=0x42), length 128 Roadwarrior Logs: root@calr720-vmprgu2:/home/user# swanctl -i --child home [IKE] initiating IKE_SA home[1] to 192.168.0.1 [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ] [NET] sending packet: from 192.168.0.200[500] to 192.168.0.1[500] (448 bytes) [NET] received packet: from 192.168.0.1[500] to 192.168.0.200[500] (456 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ] [IKE] authentication of '192.168.0.200' (myself) with pre-shared key [IKE] establishing CHILD_SA home [ENC] generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) ] [NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (256 bytes) [IKE] retransmit 1 of request with message ID 1 [NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (256 bytes) [IKE] retransmit 2 of request with message ID 1 [NET] sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500] (256 bytes) [NET] received packet: from 192.168.0.1[4500] to 192.168.0.200[4500] (256 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) ] [IKE] authentication of '192.168.0.1' with pre-shared key successful [IKE] IKE_SA home[1] established between 192.168.0.200[192.168.0.200]...192.168.0.1[192.168.0.1] [IKE] scheduling rekeying in 907s [IKE] scheduling reauthentication in 3403s [IKE] maximum IKE_SA lifetime 1267s [IKE] CHILD_SA home{1} established with SPIs cd324ab9_i c2177512_o and TS 192.168.0.200/32 === 10.1.0.0/16 [IKE] received AUTH_LIFETIME of 3294s, scheduling reauthentication in 2934s [IKE] peer supports MOBIKE initiate completed successfully root@calr720-vmprgu2:/home/user# swanctl --stats uptime: 108 seconds, since Feb 14 12:38:03 2016 worker threads: 16 total, 11 idle, working: 4/0/1/0 job queues: 0/0/0/0 jobs scheduled: 4 IKE_SAs: 1 total, 0 half-open mallinfo: sbrk 2424832, mmap 0, used 202608, free 2222224 root@calr720-vmprgu2:/home/user# root@calr720-vmprgu2:/home/user# Note: ./configure --enable-swanctl (swanctl plugin needs to be installed first to use swanctl). Reference: Topology, configuration : https://www.strongswan.org/uml/testresults/swanctl/rw-psk-ipv4/index.html _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
