SWAN测试用例botan/net2net-ed25519

本文主要是介绍SWAN测试用例botan/net2net-ed25519，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

本测试中网关sun与网关moon之间建立安全连接，连通两个子网，认证使用包含Ed25519密钥的X.509证书。网关moon使用botan插件（strongswan-5.8.1/src/libstrongswan/plugins/botan/botan_x25519.c）完成所有的加密操作；而网关sun使用strongswan默认的加密插件。连接成功建立之后，在moon网关之后的主机alice上ping网关sun之后的bob主机，以验证连通性。

Botan是一个使用C++实现的加密库，可用于支持TLS协议, X.509 certificates, 现代AEAD ciphers, PKCS#11 和 TPM硬件支持, 密码哈希（password hashing）, 和 post quantum加密体系。

Ed25519数字签名是一种采用椭圆曲线（elliptic-curve）算法的签名。私钥和公钥长度都为32字节，签名长度为64字节。

以下启动botan/net2net-ed25519测试用例，注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests botan/net2net-ed25519
Guest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191028-0933-47[ ok ]  1 botan/net2net-ed25519: pre..test..postPassed : 1
Failed : 0The results are available in /srv/strongswan-testing/testresults/20191028-0933-47
or via the link http://192.168.0.150/testresults/20191028-0933-47Finished : 20191028-0933-52

以下为测试用例af-alg/rw-cert的测试结果记录文件。

$ ls /srv/strongswan-testing/testresults/20191028-0933-47/botan/net2net-ed25519/
console.log      moon.ipsec.sql            moon.swanctl.conf   sun.daemon.log     sun.strongswan.conf      sun.swanctl.pools
index.html       moon.iptables             moon.swanctl.conns  sun.ip.policy      sun.swanctl.algs         sun.swanctl.sas
moon.auth.log    moon.iptables-save        moon.swanctl.pols   sun.ip.route       sun.swanctl.authorities  sun.swanctl.stats
moon.daemon.log  moon.strongswan.conf      moon.swanctl.pools  sun.ip.state       sun.swanctl.certs        sun.tcpdump.log
moon.ip.policy   moon.swanctl.algs         moon.swanctl.sas    sun.ipsec.sql      sun.swanctl.conf
moon.ip.route    moon.swanctl.authorities  moon.swanctl.stats  sun.iptables       sun.swanctl.conns
moon.ip.state    moon.swanctl.certs        sun.auth.log        sun.iptables-save  sun.swanctl.pols

以上测试结果文件记录了测试过程中虚拟网关sun以及网关moon的各种状态信息和运行日志。测试拓扑如下：

测试配置文件

配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/test.conf，内容如下。VIRTHOSTS变量定义了本测试用来需要使用的的虚拟主机列表。DIAGRAM指定了测试报告中使用的测试拓扑图，如上所示。变量IPSECHOSTS定义了测试中参与IPSec隧道建立的虚拟主机名称。SWANCTL为1表明使用命令行工具swanctl与主进程charon通信，而不是ipsec命令。

VIRTHOSTS="alice moon winnetou sun bob"# Corresponding block diagram
#
DIAGRAM="a-m-w-s-b.png"# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="sun"# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon sun"# charon controlled by swanctl
#
SWANCTL=1

网关sun配置

连接配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf，内容如下。虚拟网关sun的IP地址为192.168.0.2，而moon网关的IP地址为192.168.0.1。

另外，此连接（名称gw-gw）使用的proposals指定为aes128-sha256-x25519。子连接net-net使用的esp_proposals指定为aes128gcm128-x25519。version等于2表明使用IKEv2版本。

connections {gw-gw {local_addrs  = 192.168.0.2remote_addrs = 192.168.0.1 local {auth = pubkeycerts = sunCert.pemid = sun.strongswan.org}remote {auth = pubkeyid = moon.strongswan.org }children {net-net {local_ts  = 10.2.0.0/16 remote_ts = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptablesrekey_time = 5400rekey_bytes = 500000000rekey_packets = 1000000esp_proposals = aes128gcm128-x25519}}version = 2mobike = noreauth_time = 10800proposals = aes128-sha256-x25519}
}

StrongSwan配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/sun/etc/strongswan.conf ，内容如下，指定需要加载的模块。注意这里的curve25519模块为与以下moon主机中加载的botan模块相对应的实现模块，curve25519为strongswan默认的实现Ed25519算法的模块。

# /etc/strongswan.conf - strongSwan configuration fileswanctl {load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
}charon-systemd {load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
}

由于默认的证书文件使用RSA算法，在此次测试中不能使用，所以提供了如下的证书文件。

$ ls strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/sun/etc/swanctl/
hosts/sun/etc/swanctl/x509/sunCert.pem
hosts/sun/etc/swanctl/x509ca/strongswanCert.pem 
hosts/sun/etc/swanctl/pkcs8/sunKey.pem 

如下为证书sunCert.pem的部分内容，其签名和公钥算法为ED25519。

strongswan-5.8.1/testing/tests/botan/net2net-ed25519$ openssl x509 -in hosts/sun/etc/swanctl/x509/sunCert.pem -noout -text
Certificate:Data:Version: 3 (0x2)Serial Number: 1 (0x1)Signature Algorithm: ED25519Issuer: C = CH, O = strongSwan Project, CN = strongSwan Ed25519 Root CAValidityNot Before: Sep 14 08:37:52 2019 GMTNot After : Sep 14 08:37:52 2027 GMTSubject: C = CH, O = strongSwan Project, OU = Ed25519, CN = sun.strongswan.orgSubject Public Key Info:Public Key Algorithm: ED25519ED25519 Public-Key:pub:cb:25:fa:30:e0:4d:d5:cb:16:d0:cb:2d:0c:1d:37:31:44:79:73:02:35:3f:48:1a:c1:75:c7:dd:13:bf:3e:4b

其它配置文件（位于全局测试目录下）,这些文件在测试准备阶段将拷贝到测试虚拟主机上，参见文件：strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录，其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件。另外三个目录为ipsec.d，network和swanctl，其中ipsec.d和swanctl分别保存各自的证书文件，本测试用例中使用swanctl工具，参见文件：tests/botan/net2net-ed25519/test.conf中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/sun/hosts/sun/etc/hostname
hosts/sun/etc/ipsec.conf
hosts/sun/etc/ipsec.secrets
hosts/sun/etc/strongswan.conf
hosts/sun/etc/ipsec.d/ipsec.sql
hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/sun/etc/ipsec.d/certs/sunCert.pem
hosts/sun/etc/ipsec.d/private/sunKey.pem
hosts/sun/etc/network/interfaces
hosts/sun/etc/swanctl/rsa/sunKey.pem
hosts/sun/etc/swanctl/x509/sunCert.pem
hosts/sun/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces，用于设置sun网关的网络接口eth0和eth1的IP地址信息。

auto lo
iface lo inet loopbackauto eth0
iface eth0 inet staticaddress 192.168.0.2netmask 255.255.255.0broadcast 192.168.0.255gateway 192.168.0.254
iface eth0 inet6 staticaddress fec0::2netmask 16auto eth1
iface eth1 inet staticaddress 10.2.0.1netmask 255.255.0.0broadcast 10.2.255.255
iface eth1 inet6 staticaddress fec2::1netmask 16

moon网关配置

配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf，内容如下。连接gw-gw的proposals使用aes128-sha256-x25519，子连net-net的proposals使用aes128gcm128-x25519。IKE使用IKEv2版。

作为网关，其事先并不知晓连接对端的IP地址信息，此处只有local_addrs的配置。

connections {gw-gw {local_addrs  = 192.168.0.1remote_addrs = 192.168.0.2 local {auth = pubkeycerts = moonCert.pemid = moon.strongswan.org}remote {auth = pubkeyid = sun.strongswan.org }children {net-net {local_ts  = 10.1.0.0/16 remote_ts = 10.2.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptablesrekey_time = 5400rekey_bytes = 500000000rekey_packets = 1000000esp_proposals = aes128gcm128-x25519}}version = 2mobike = noreauth_time = 10800proposals = aes128-sha256-x25519}
}

StrongSwan配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/moon/etc/strongswan.conf，内容如下，指定要加载的模块。这里指定加载botan模块，其正是我们要测试的模块。

# /etc/strongswan.conf - strongSwan configuration fileswanctl {load = random pem x509 revocation constraints pubkey botan
}charon-systemd {load = random nonce pem x509 botan revocation curl kernel-netlink socket-default updown vici
}

由于默认的证书文件使用RSA算法，在此次测试中不能使用，所以提供了如下的证书文件。

$ ls strongswan-5.8.1/testing/tests/botan/net2net-ed25519/hosts/moon/etc/swanctl/
hosts/moon/etc/swanctl/x509/moonCert.pem
hosts/moon/etc/swanctl/x509ca/strongswanCert.pem 
hosts/moon/etc/swanctl/pkcs8/moonKey.pem 

如下为证书moonCert.pem的部分内容，其签名和公钥算法为ED25519。

strongswan-5.8.1/testing/tests/botan/net2net-ed25519$ openssl x509 -in hosts/moon/etc/swanctl/x509/moonCert.pem -noout -text   
Certificate:Data:Version: 3 (0x2)Serial Number: 2 (0x2)Signature Algorithm: ED25519Issuer: C = CH, O = strongSwan Project, CN = strongSwan Ed25519 Root CAValidityNot Before: Sep 14 08:37:52 2019 GMTNot After : Sep 14 08:37:52 2027 GMTSubject: C = CH, O = strongSwan Project, OU = Ed25519, CN = moon.strongswan.orgSubject Public Key Info:Public Key Algorithm: ED25519ED25519 Public-Key:pub:0e:39:2b:ea:30:66:61:16:9e:7c:0a:52:25:c5:3d:9f:f2:4c:1d:0a:b9:18:4e:65:08:cf:d8:ca:e4:e0:c6:34

其它配置文件（位于全局测试目录下）,这些文件在测试准备阶段将拷贝到测试虚拟主机上，参见文件：strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录，其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件，还有rc.local文件。另外三个目录为ipsec.d，network和swanctl，其中ipsec.d和swanctl分别保存各自的证书文件，本测试用例中使用swanctl工具，参见文件：tests/botan/net2net-ed25519/test.conf，中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/moon/ hosts/moon/etc/hostname
hosts/moon/etc/ipsec.conf
hosts/moon/etc/ipsec.secrets
hosts/moon/etc/rc.local
hosts/moon/etc/strongswan.conf
hosts/moon/etc/ipsec.d/ipsec.sql
hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/moon/etc/ipsec.d/certs/moonCert.pem
hosts/moon/etc/ipsec.d/private/moonKey.pem
hosts/moon/etc/network/interfaces
hosts/moon/etc/swanctl/rsa/moonKey.pem
hosts/moon/etc/swanctl/x509/moonCert.pem
hosts/moon/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces，用于设置moon主机的两个网络接口eth0和eth1的IP地址信息。

 auto loiface lo inet loopbackauto eth0iface eth0 inet staticaddress 192.168.0.1netmask 255.255.255.0broadcast 192.168.0.255gateway 192.168.0.254iface eth0 inet6 staticaddress fec0::1netmask 16auto eth1iface eth1 inet staticaddress 10.1.0.1netmask 255.255.0.0broadcast 10.1.255.255iface eth1 inet6 staticaddress fec1::1netmask 16

准备阶段

配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/pretest.dat，内容如下。在预测试pre-test阶段，首先删除RSA算法的密钥文件，接着备份moon和sun主机的iptables配置。启动strongswan。使用脚本expect-connection检测名称为gw-gw的连接是否建立，超过5秒钟检测不到，打印失败信息。swanctl在moon网关上初始化一个名称为net-net的子连接。

通过之前的介绍已经在sun和moon网关的各自配置文件（/etc/swanctl/swanctl.conf）中看到了gw-gw和net-net连接的配置信息。

moon::rm /etc/swanctl/rsa/moonKey.pem
sun::rm /etc/swanctl/rsa/sunKey.pem
moon::iptables-restore < /etc/iptables.rules
sun::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
sun::systemctl start strongswan
moon::expect-connection gw-gw
sun::expect-connection gw-gw
moon::swanctl --initiate --child net-net 2> /dev/null

测试阶段

配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/evaltest.dat，内容如下。在第一行中，检查moon主机上进程charon-systemd的日志信息，验证认证方式是否是通过ED25519证书方式。第二行在主机sun上做同样的验证。

moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES

其中PH_IP_ALICE为alice主机的IP地址。第二行测试语句，与第一行类似，此处登录到dave主机执行ping主机alice的操作。

第三行测试语句登录到moon网关中，使用命令swanctl --list-sas --raw显示安全关联SA的信息，在其中匹配随后的模式pattern字段，由本次测试主要关注验证的dh-group：CURVE_25519字段。可见与以上hosts/carol/etc/swanctl/swanctl.conf中的配置相符。以下为swanctl的输出信息。

 gw-gw: #1, ESTABLISHED, IKEv2, 4edd2779e2017942_i* 691223a25606f2cb_rlocal  'moon.strongswan.org' @ 192.168.0.1[500]remote 'sun.strongswan.org' @ 192.168.0.2[500]AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519established 1s ago, reauth in 9667snet-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128installed 1s ago, rekeying in 5269s, expires in 5939sin  ce700502,     84 bytes,     1 packets,     0s agoout c8cf5f61,     84 bytes,     1 packets,     0s agolocal  10.1.0.0/16remote 10.2.0.0/16

第四行测试语句与第三行类似，此处登录的sun网关上执行swanctl --list-sas --raw命令检查输出结果，进行匹配操作。以下为sun虚拟网关上执行swanctl命令的输出：

 gw-gw: #1, ESTABLISHED, IKEv2, 4edd2779e2017942_i 691223a25606f2cb_r*local  'sun.strongswan.org' @ 192.168.0.2[500]remote 'moon.strongswan.org' @ 192.168.0.1[500]AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519established 1s ago, reauth in 10747snet-net: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_GCM_16-128installed 1s ago, rekeying in 4878s, expires in 5939sin  c8cf5f61,     84 bytes,     1 packets,     0s agoout ce700502,     84 bytes,     1 packets,     0s agolocal  10.2.0.0/16remote 10.1.0.0/16

第五行测试语句为登录到虚拟主机alice上，执行ping虚拟主机bob的命令。最后两行都在sun网关上执行，这里的tcpdump命令并不执行，而是检查在以上的测试过程中后台tcpdump名称输出到文件/tmp/tcpdump.log中的日志信息，确认sun与moon之间的ESP加密的ping报文是否正常。

 10 09:33:52.901115 IP sun.strongswan.org.isakmp > moon.strongswan.org.isakmp: isakmp: child_sa  ikev2_auth[R]11 09:33:53.079854 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xc8cf5f61,seq=0x1), length 12012 09:33:53.079943 IP alice.strongswan.org > bob.strongswan.org: ICMP echo request, id 4863, seq 1, length 6413 09:33:53.081702 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xce700502,seq=0x1), length 120

以下为sun网关上的日志文件/var/log/daemon.log的部分内容，可见其中要确认的测试认证字符ED25519。

Oct 28 09:33:52 sun charon-systemd: 12[IKE] authentication of 'moon.strongswan.org' with ED25519 successful
Oct 28 09:33:52 sun charon-systemd: 12[IKE] authentication of 'sun.strongswan.org' (myself) with ED25519 successful
Oct 28 09:33:52 sun charon-systemd: 12[IKE] IKE_SA gw-gw[1] established between 192.168.0.2[sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
Oct 28 09:33:52 sun charon-systemd: 12[IKE] scheduling reauthentication in 10748s
Oct 28 09:33:52 sun charon-systemd: 12[IKE] maximum IKE_SA lifetime 11828s

防火墙规则

以下为测试过程中，在虚拟网关sun的filter表中加入的规则（省略了OUTPUT hook点），规则的配置由swanctl.conf文件中指定的updown脚本完成（/usr/local/libexec/ipsec/_updown iptables）。在hook点INPUT上，允许UDP源和目的端口同时为500或者4500的报文，前者为IKE协议端口，后者为NAT-T使用的端口号，另外允许ESP和AH协议的报文通过，由于此测试使用ESP协议，以下AH规则的计数为空。在INPUT点上，源IP为10.1.0.0/16，目的IP为192.168.0.100的报文匹配入方向的IPSEC策略，reqid为1，协议号为50（ESP）。

在hook点FORWARD上IP地址为10.1.0.0/16与IP为10.2.0.0/16之间的报文分别匹配两个方向的IPSEC策略，reqid为1，协议号为50（ESP）。

Chain INPUT (policy DROP 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         1   140 ACCEPT     esp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     ah   --  eth0   *       0.0.0.0/0            0.0.0.0/0           2  1176 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:500 dpt:5000     0 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:4500 dpt:4500128 14864 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:221    40 ACCEPT     tcp  --  eth0   *       192.168.0.150        0.0.0.0/0            tcp spt:80Chain FORWARD (policy DROP 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         1    84 ACCEPT     all  --  eth0   *       10.1.0.0/16          10.2.0.0/16          policy match dir in pol ipsec reqid 1 proto 501    84 ACCEPT     all  --  *      eth0    10.2.0.0/16          10.1.0.0/16          policy match dir out pol ipsec reqid 1 proto 50

收尾阶段

配置文件：strongswan-5.8.1/testing/tests/botan/net2net-ed25519/posttest.dat，内容如下。其中第一行断开moon网关上名称为gw-gw的连接。第二、三行终止moon和sun网关上的StrongSwan进程。第四、五三行恢复moon和sun网关上的iptables规则。最后两行删除ED25519证书的PKCS8格式的私钥。

moon::swanctl --terminate --ike gw-gw 2> /dev/null
moon::systemctl stop strongswan
sun::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
sun::iptables-restore < /etc/iptables.flush
moon::rm /etc/swanctl/pkcs8/*
sun::rm /etc/swanctl/pkcs8/*

测试结果文件默认都保存在目录：/srv/strongswan-testing/testresults/20191028-0933-47/botan/net2net-ed25519/下，其中文件console.log 记录了整个的测试过程。文件sun.daemon.log和moon.daemon.log文件记录了各自主机上charon-systemd主进程的日志。完整的测试结果文件列表见本文开始部分。下图为IKEv2报文的交互报文。

附件为tcpdump抓取到的报文。

ike-botan-ed25519.pcap

END

这篇关于SWAN测试用例botan/net2net-ed25519的文章就介绍到这儿，希望我们推荐的文章对编程师们有所帮助！

---