本测试主要验证IKEv2守护进程自动选择IPSec安全关联本地地址的功能,其通过在内核的查找路由表获取通往远端IPSec对等体的IP地址,来关联本地源IP地址。主机moon和bob作为initiator设置auto=route,主机alice和sun作为responder设置auto=addd。在moon主机上ping主机alice和sun,同样的在主机bob上ping主机sun,由数据流来触发连接的建立。测试拓扑如下:
连接配置文件:ikev2/any-interface/hosts/moon/etc/ipsec.conf,内容如下,在default的连接中将模式设置为transport,注意这里的left=%any,不指定本端的接口IP地址。接下来的连接alice和sun都将auto字段设置为route,这真是本次测试的功能。
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no type=transport compress=yes dpdaction=hold dpddelay=10 left=%any leftcert=moonCert.pem conn alice right=PH_IP_ALICE rightid="C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org" auto=route conn sun right=PH_IP_SUN rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org" auto=route连接配置文件:ikev2/any-interface/hosts/bob/etc/ipsec.conf,内容与以上moon主机的内容基本相同,只是少了一个到alice主机的连接,仅保留到sun主机(eth1接口)的连接,名称同样为sun。
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no type=transport compress=yes dpdaction=hold dpddelay=10 left=%any leftcert=bobCert.pem conn sun right=PH_IP_SUN1 rightid="C=CH, O=strongSwan Project, CN=sun.strongswan.org" auto=route连接配置文件:ikev2/any-interface/hosts/alice/etc/ipsec.conf,内容如下。对于名称为remote的连接定义,其left和right字段都设置为%any,一方面要自动选取自身的通信地址,另一方面不限定对端的连接IP地址。字段auto设置为add。sun主机的配置与alice基本相同。
config setup conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 keyexchange=ikev2 mobike=no type=transport compress=yes dpdaction=clear dpddelay=10 left=%any leftcert=aliceCert.pem conn remote right=%any auto=add配置文件:ikev2/any-interface/pretest.dat,内容如下。在预测试pre-test阶段,启动四台参与测试的主机,在作为responder的主句alice和sun等待remote连接建立,在作为initiator的主机moon上确认名称为alice的连接的建立。完成之后,在moon主机上ping主机alice和sun。
最后在bob主机上确认名称为sun的连接的建立,并且在bob上ping主机sun的eth1接口地址。
winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN alice::ipsec start moon::ipsec start sun::ipsec start bob::ipsec start alice::expect-connection remote sun::expect-connection remote moon::expect-connection alice moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_ALICE moon::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN bob::expect-connection sun bob::ping -n -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef PH_IP_SUN1配置文件:ikev2/any-interface/evaltest.dat,首先在作为initiator的主机moon和bob上检查acquire job的日志,由于在moon和bob上发起ping操作之后,moon主机ping主机alice的IP地址10.1.0.10,bob主机ping主机sun的eth1接口地址10.2.0.1。两种情况下都会通过目的IP地址在内核中匹配到IPsec策略,而这时还没有建立SA,内核将向用户层发送acquire消息,如下为moon和bob接收到acquire消息的日志,acquire消息会将选择的本地出口IP地址发送到应用层。
moon:: cat /var/log/daemon.log::creating acquire job::YES bob:: cat /var/log/daemon.log::creating acquire job::YES以下为ipsec statusall的命令输出,注意Routed Connections字段,表明到sun主机的连接选择的本地端口为192.168.0.1,reqid为2;而到alice主机的连接的本地端口选择的为10.1.0.1,请求ID(reqid)为1。
Connections: alice: %any...10.1.0.10 IKEv2, dpddelay=10s alice: local: [C=CH, O=strongSwan Project, CN=moon.strongswan.org] uses public key authentication alice: cert: "C=CH, O=strongSwan Project, CN=moon.strongswan.org" alice: remote: [C=CH, O=strongSwan Project, OU=Sales, CN=alice@strongswan.org] uses public key authentication alice: child: dynamic === dynamic TRANSPORT, dpdaction=hold sun: %any...192.168.0.2 IKEv2, dpddelay=10s sun: local: [C=CH, O=strongSwan Project, CN=moon.strongswan.org] uses public key authentication sun: cert: "C=CH, O=strongSwan Project, CN=moon.strongswan.org" sun: remote: [C=CH, O=strongSwan Project, CN=sun.strongswan.org] uses public key authentication sun: child: dynamic === dynamic TRANSPORT, dpdaction=hold Routed Connections: sun{2}: ROUTED, TRANSPORT, reqid 2 sun{2}: 192.168.0.1/32 === 192.168.0.2/32 alice{1}: ROUTED, TRANSPORT, reqid 1 alice{1}: 10.1.0.1/32 === 10.1.0.10/32在对照以下moon主机上strongswan进程的日志信息,在接收到acquire消息之后,发起IKE连接请求。与以上内容对比reqid值,完全相同。
moon charon: 07[CFG] received stroke: route 'alice' moon charon: 11[CFG] received stroke: route 'sun' ... moon charon: 15[KNL] creating acquire job for policy 10.1.0.1/32[udp/56614] === 10.1.0.10/32[udp/1025] with reqid {1} moon charon: 16[IKE] initiating IKE_SA alice[1] to 10.1.0.10 ... moon charon: 05[KNL] creating acquire job for policy 192.168.0.1/32[udp/46507] === 192.168.0.2/32[udp/1025] with reqid {2} moon charon: 05[IKE] initiating IKE_SA sun[2] to 192.168.0.2strongswan测试版本: 5.8.1
END
