strongSwan介绍
测试环境
主要配置
aliyun站点配置
connections {
# 创建名为net-net的连接
net-net {
# 对端IP地址
remote_addrs = 13.1.1.2
local {
# 本端认证方式
auth = pubkey
# 本端的证书
certs = aliyunCert.pem
}
remote {
# 对端认证方式
auth = pubkey
# 远端证书标识, 使用证书中包含的 主题区分名称(DN) id = "C=CN, O=strongswan, CN=hwCloud.strongswan.local"
}
children {
# 创建名为net-net的感兴趣流量
net-net {
# 本端网络
local_ts = 192.168.10.0/24
# 对端网络
remote_ts = 192.168.20.0/24
# 流量自动触发隧道创建
start_action = trap
}
}
} }hwCloud站点配置
connections {
net-net {
remote_addrs = 21.1.1.2
local {
auth = pubkey
certs = hwCloudCert.pem
}
remote {
auth = pubkey
id = "C=CN, O=strongswan, CN=aliyun.strongswan.local"
}
children {
net-net {
local_ts = 192.168.20.0/24
remote_ts = 192.168.10.0/24
start_action = trap
}
}
} }加载证书和配置
使用swanctl命令将证书和私钥加载到charon进程中
swanctl --load-creds
root@aliyun:/etc/swanctl# swanctl --load-creds
loaded certificate from '/etc/swanctl/x509/aliyunCert.pem'
loaded certificate from '/etc/swanctl/x509ca/strongswanCert.pem'
loaded ED25519 key from '/etc/swanctl/private/aliyun.pem'加载swanctl.conf中定义的connections。
root@aliyun:/etc/swanctl# swanctl --load-conns
loaded connection 'net-net'
successfully loaded 1 connections, 0 unloaded触发隧道建立
从aliyun站点或hwcloud站点ping对方,触发隧道建立
root@aliyun:~# ping 192.168.20.253
PING 192.168.20.253 (192.168.20.253) 56(84) bytes of data.
[ 103.872077] alg: No test for seqiv(rfc4106(gcm(aes))) (seqiv(rfc4106(gcm_base(ctr(aes-generic),ghash-generic))))
[ 103.878436] alg: No test for fips(ansi_cprng) (fips_ansi_cprng)
64 bytes from 192.168.20.253: icmp_seq=2 ttl=64 time=3.37 ms
64 bytes from 192.168.20.253: icmp_seq=3 ttl=64 time=3.06 ms
64 bytes from 192.168.20.253: icmp_seq=4 ttl=64 time=3.33 ms查看隧道信息
查看IKE SA信息
aliyun主机上的IKE SA信息
root@aliyun:~# swanctl --list-sas
net-net: #1, ESTABLISHED, IKEv2, 66bfab8e393b49b1_i* 1ee446b78869a286_r
local 'C=CN, O=strongswan, CN=aliyun.strongswan.local' @ 192.168.10.253[4500]
remote 'C=CN, O=strongswan, CN=hwCloud.strongswan.local' @ 13.1.1.2[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
established 22s ago, rekeying in 13875s
net-net: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
installed 22s ago, rekeying in 3238s, expires in 3938s
in c4a1383e, 252 bytes, 3 packets, 19s ago
out cec3243e, 252 bytes, 3 packets, 19s ago
local 192.168.10.0/24
remote 192.168.20.0/24aliyun主机上的policy信息
root@aliyun:~# swanctl --list-pols
net-net/net-net, TUNNEL
local: 192.168.10.0/24
remote: 192.168.20.0/24aliyun主机上的strongSwan的连接信息
root@aliyun:~# swanctl --list-conns
net-net: IKEv1/2, no reauthentication, rekeying every 14400s
local: %any
remote: 13.1.1.2
local public key authentication:
id: C=CN, O=strongswan, CN=aliyun.strongswan.local
certs: C=CN, O=strongswan, CN=aliyun.strongswan.local
remote public key authentication:
id: C=CN, O=strongswan, CN=hwCloud.strongswan.local
net-net: TUNNEL, rekeying every 3600s
local: 192.168.10.0/24
remote: 192.168.20.0/24hwcloud主机上的IKE SA信息
root@hwCloud:~# swanctl --list-sas
net-net: #1, ESTABLISHED, IKEv2, 66bfab8e393b49b1_i 1ee446b78869a286_r*
local 'C=CN, O=strongswan, CN=hwCloud.strongswan.local' @ 192.168.20.253[4500]
remote 'C=CN, O=strongswan, CN=aliyun.strongswan.local' @ 21.1.1.2[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
established 259s ago, rekeying in 13880s
net-net: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
installed 259s ago, rekeying in 3270s, expires in 3702s
in cec3243e, 252 bytes, 3 packets, 255s ago
out c4a1383e, 252 bytes, 3 packets, 255s ago
local 192.168.20.0/24
remote 192.168.10.0/24hwcloud主机上的strongSwan的连接信息
root@hwCloud:~# swanctl --list-conns
net-net: IKEv1/2, no reauthentication, rekeying every 14400s
local: %any
remote: 21.1.1.2
local public key authentication:
id: C=CN, O=strongswan, CN=hwcloud.strongswan.local
certs: C=CN, O=strongswan, CN=hwcloud.strongswan.local
remote public key authentication:
id: C=CN, O=strongswan, CN=aliyun.strongswan.local
net-net: TUNNEL, rekeying every 3600s
local: 192.168.20.0/24
remote: 192.168.10.0/24hwcloud主机上的policy信息
root@hwCloud:~# swanctl --list-pols
net-net/net-net, TUNNEL
local: 192.168.20.0/24
remote: 192.168.10.0/24
root@hwCloud:~#查看IPSec SA信息
hwcloud主机上的IPSec SA信息
root@hwCloud:~# ip -s xfrm state
src 192.168.20.253 dst 21.1.1.2
proto esp spi 0xc4a1383e(3298900030) reqid 1(0x00000001) mode tunnel
replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
aead rfc4106(gcm(aes)) 0x096371e5b100a06201f36b936179b00eff6c70e4 (160 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x3, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3528(sec), hard 3960(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
252(bytes), 3(packets)
add 2023-07-19 02:45:05 use 2023-07-19 02:45:06
stats:
replay-window 0 replay 0 failed 0
src 21.1.1.2 dst 192.168.20.253
proto esp spi 0xcec3243e(3468895294) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
aead rfc4106(gcm(aes)) 0x82030da738353d5eb52026aa05f4d65fbaa97b3d (160 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x3, oseq 0x0, bitmap 0x00000007
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3585(sec), hard 3960(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
252(bytes), 3(packets)
add 2023-07-19 02:45:05 use 2023-07-19 02:45:06
stats:
replay-window 0 replay 0 failed 0
root@hwCloud:~# ip -s xfrm policy
src 192.168.20.0/24 dst 192.168.10.0/24 uid 0
dir out action allow index 81 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2023-07-19 02:45:05 use 2023-07-19 02:45:08
tmpl src 192.168.20.253 dst 21.1.1.2
proto esp spi 0xc4a1383e(3298900030) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.10.0/24 dst 192.168.20.0/24 uid 0
dir fwd action allow index 74 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2023-07-19 02:45:05 use -
tmpl src 21.1.1.2 dst 192.168.20.253
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.10.0/24 dst 192.168.20.0/24 uid 0
dir in action allow index 64 priority 375423 ptype main share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2023-07-19 02:45:05 use 2023-07-19 02:45:08
tmpl src 21.1.1.2 dst 192.168.20.253
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
......查看路由表
Introduction to strongSwan Routing
On Linux,strongSwaninstalls routes into routing table220by default and hence requires the kernel to support policy based routing.
在linux主机上,strongSwan默认将路由安装到路由表220中。
查看当前主机的存在的路由表
root@hwCloud:~# ip rule show
0: from all lookup local
220: from all lookup 220
32766: from all lookup main
32767: from all lookup default查看当前主机的所有路由,包含本地链路地址等
root@hwCloud:~# ip route list table all
192.168.10.0/24 via 192.168.20.254 dev ens3 table 220 proto static src 192.168.20.253
default via 192.168.20.254 dev ens3 proto dhcp src 192.168.20.253 metric 100
192.168.20.0/24 dev ens3 proto kernel scope link src 192.168.20.253 metric 100
192.168.20.254 dev ens3 proto dhcp scope link src 192.168.20.253 metric 100
202.102.224.68 via 192.168.20.254 dev ens3 proto dhcp src 192.168.20.253 metric 100
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.20.253 dev ens3 table local proto kernel scope host src 192.168.20.253
broadcast 192.168.20.255 dev ens3 table local proto kernel scope link src 192.168.20.253
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens3 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::e63:1dff:fe93:0 dev ens3 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev ens3 table local proto kernel metric 256 pref medium查看当前主机上指定table id路由标中的路由
root@hwCloud:~# ip route list table 220
192.168.10.0/24 via 192.168.20.254 dev ens3 proto static src 192.168.20.253查看证书信息
root@aliyun:~# swanctl --list-certs
List of X.509 End Entity Certificates
subject: "C=CN, O=strongswan, CN=aliyun.strongswan.local"
issuer: "C=CN, O=strongSwan, CN=strongSwan Root CA--outform"
validity: not before Jul 18 04:40:22 2023, ok
not after Jul 17 04:40:22 2024, ok (expires in 364 days)
serial: 01
altNames: aliyun.strongswan.local
flags:
authkeyId: c4:dc:af:e7:46:69:a2:58:ce:20:d1:6a:c3:16:39:d2:47:96:37:dd
subjkeyId: 17:e9:c0:cc:00:b1:7a:25:66:38:69:f9:06:39:cb:16:79:ce:c0:2a
pubkey: ED25519 256 bits, has private key
keyid: d3:af:3f:a4:0d:ae:40:91:28:ef:4e:0e:b5:2e:50:0e:d1:c1:52:d1
subjkey: 17:e9:c0:cc:00:b1:7a:25:66:38:69:f9:06:39:cb:16:79:ce:c0:2a
subject: "C=CN, O=strongswan, CN=hwCloud.strongswan.local"
issuer: "C=CN, O=strongSwan, CN=strongSwan Root CA--outform"
validity: not before Jul 18 04:25:14 2023, ok
not after Jul 17 04:25:14 2024, ok (expires in 364 days)
serial: 01
altNames: hwcloud.strongswan.local
flags:
authkeyId: c4:dc:af:e7:46:69:a2:58:ce:20:d1:6a:c3:16:39:d2:47:96:37:dd
subjkeyId: 4b:30:05:f3:57:8d:e7:10:c9:0b:25:fc:39:ad:64:77:2e:5f:f8:dc
pubkey: ED25519 256 bits
keyid: 9a:2c:f2:c5:5b:0a:84:f4:b0:3c:11:4c:f6:3f:99:03:a0:db:bf:dd
subjkey: 4b:30:05:f3:57:8d:e7:10:c9:0b:25:fc:39:ad:64:77:2e:5f:f8:dc
List of X.509 CA Certificates
subject: "C=CN, O=strongSwan, CN=strongSwan Root CA--outform"
issuer: "C=CN, O=strongSwan, CN=strongSwan Root CA--outform"
validity: not before Jul 18 03:59:38 2023, ok
not after Jul 15 03:59:38 2033, ok (expires in 3649 days)
serial: 15:6d:6f:55:df:b8:d6:89
flags: CA CRLSign self-signed
subjkeyId: c4:dc:af:e7:46:69:a2:58:ce:20:d1:6a:c3:16:39:d2:47:96:37:dd
pubkey: ED25519 256 bits
keyid: e3:e7:99:26:71:bf:15:7e:f3:31:4f:27:78:e9:29:a9:d7:90:c5:fe
subjkey: c4:dc:af:e7:46:69:a2:58:ce:20:d1:6a:c3:16:39:d2:47:96:37:ddIKE协商的4个包
关于XFRM
xfrm框架是linux内核中重要子系统,xfrm框架是IPSec的基础设施,IPSec通过xfrm框架实现。xfrm源自USAGI目,该项目旨在提供适用于生产环境的IPv6和IPSec协议栈。自内核2.5之后引入了xfrm框架。这个基础设施独立于协议簇,包含可同时应用于ipv4和ipv6的通用部分。
xfrm policy和xfrm state是XFRM框架的基础数据结构。
xfrm policy
安全策略是一种规则,告诉IPSec一条特定的流量是否应该处理或者旁路,xfrm policy用来描述IPSec策略。
一个安全策略包含一个选择器,当选择器匹配一条流时会提供一种策略。xfrm选择器有一系列属性组成,比如源目IP地址、源目端口、协议等等,用这些属性来识别一条流。
安全策略Security Policy使用xfrm_policy结构表示,xfrm_policy用于描述Security Policy在内核内部的具体实现。
用户可以使用ip xfrm policy ls列出当前主机上的xfrm_policy
root@hwCloud:~# ip xfrm policy ls
src 10.3.0.1/32 dst 192.168.10.0/24
dir out priority 371327 ptype main
tmpl src 192.168.20.253 dst 21.1.1.2
proto esp spi 0xc0d6e0b7 reqid 1 mode tunnel
src 192.168.10.0/24 dst 10.3.0.1/32
dir fwd priority 371327 ptype main
tmpl src 21.1.1.2 dst 192.168.20.253
proto esp reqid 1 mode tunnel
src 192.168.10.0/24 dst 10.3.0.1/32
dir in priority 371327 ptype main
tmpl src 21.1.1.2 dst 192.168.20.253
proto esp reqid 1 mode tunnel或者使用ip -s xfrm policy列出当前主机上的xfrm_policy更详细的信息
root@hwCloud:~# ip -s xfrm policy
src 10.3.0.1/32 dst 192.168.10.0/24 uid 0
dir out action allow index 81 priority 371327 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2023-07-19 01:16:42 use 2023-07-19 01:32:45
tmpl src 192.168.20.253 dst 21.1.1.2
proto esp spi 0xc0d6e0b7(3235307703) reqid 1(0x00000001) mode tu
nnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.10.0/24 dst 10.3.0.1/32 uid 0
dir fwd action allow index 74 priority 371327 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2023-07-19 01:16:42 use -
tmpl src 21.1.1.2 dst 192.168.20.253
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.10.0/24 dst 10.3.0.1/32 uid 0
dir in action allow index 64 priority 371327 ptype main share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2023-07-19 01:16:42 use 2023-07-19 01:32:45
tmpl src 21.1.1.2 dst 192.168.20.253
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffffxfrm state
xfrm state表示IPSec SA(IPSec安全关联)。它表示的是单向流量,包含加密密钥、标志、请求ID、统计信息、重放参数等信息。
xfrm state状态结构用来描述SA(安全关联)在内核中的具体实现。
用户可以通过ip xfrm state ls命令列出当前主机上的xfrm state。
root@hwCloud:~# ip xfrm state ls
src 192.168.20.253 dst 21.1.1.2
proto esp spi 0xc0d6e0b7 reqid 1 mode tunnel
replay-window 0 flag af-unspec
aead rfc4106(gcm(aes)) 0x70114a9603298a7502243554dd4f97fb90b39131 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xbd, bitmap 0x00000000
src 21.1.1.2 dst 192.168.20.253
proto esp spi 0xc46c2c09 reqid 1 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0x6949652cbd2fd4c131f92a4ef3dbf0d1a2d40521 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x9f, oseq 0x0, bitmap 0xffffffff或者使用ip -s xfrm state列出当前主机上的xfrm_state更详细的信息
root@hwCloud:~# ip -s xfrm state
src 192.168.20.253 dst 21.1.1.2
proto esp spi 0xc0d6e0b7(3235307703) reqid 1(0x00000001) mode tunnel
replay-window 0 seq 0x00000000 flag af-unspec (0x00100000)
aead rfc4106(gcm(aes)) 0x70114a9603298a7502243554dd4f97fb90b39131 (160 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xbd, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3275(sec), hard 3960(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
16672(bytes), 189(packets)
add 2023-07-19 01:16:42 use 2023-07-19 01:28:02
stats:
replay-window 0 replay 0 failed 0
src 21.1.1.2 dst 192.168.20.253
proto esp spi 0xc46c2c09(3295423497) reqid 1(0x00000001) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
aead rfc4106(gcm(aes)) 0x6949652cbd2fd4c131f92a4ef3dbf0d1a2d40521 (160 bits) 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x9f, oseq 0x0, bitmap 0xffffffff
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 3458(sec), hard 3960(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
19008(bytes), 159(packets)
add 2023-07-19 01:16:42 use 2023-07-19 01:28:02
stats:
replay-window 0 replay 0 failed 0xfrm monitor
针对xfrm对象的状态监控,可以选择要监控的xfrm对象。
root@hwCloud:~# ip xfrm monitor
Async event (0x10) replay update
src 21.1.1.2 dst 192.168.20.253 reqid 0x1 protocol esp SPI 0xcad623e1
Async event (0x10) replay update
src 192.168.20.253 dst 21.1.1.2 reqid 0x1 protocol esp SPI 0xc62f950a
Async event (0x20) timer expired
src 192.168.20.253 dst 21.1.1.2 reqid 0x1 protocol esp SPI 0xc62f950a
Async event (0x20) timer expired
src 21.1.1.2 dst 192.168.20.253 reqid 0x1 protocol esp SPI 0xcad623e1
Async event (0x20) timer expired
src 21.1.1.2 dst 192.168.20.253 reqid 0x1 protocol esp SPI 0xcad623e1
Async event (0x20) timer expired
src 192.168.20.253 dst 21.1.1.2 reqid 0x1 protocol esp SPI 0xc62f950a
Async event (0x20) timer expired
src 192.168.20.253 dst 21.1.1.2 reqid 0x1 protocol esp SPI 0xc62f950a
Async event (0x20) timer expired
src 21.1.1.2 dst 192.168.20.253 reqid 0x1 protocol esp SPI 0xcad623e1
Async event (0x20) timer expired
src 21.1.1.2 dst 192.168.20.253 reqid 0x1 protocol esp SPI 0xcad623e1
Async event (0x20) timer expired
src 192.168.20.253 dst 21.1.1.2 reqid 0x1 protocol esp SPI 0xc62f950a推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/8706.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
官码2024000195号
萌ICP备20248119号
