SWAN之ikev2/acert-fallback测试

本测试中远程用户（roadwarrior）carol与网关moon建立连接。认证方式基于X.509证书，为了对远程用户进行授权，moon网关期望用户在IKEv2报文的CERT载荷中带有属性证书。carol主机具有组分别为sales和finance的两个证书，其中finance组的属性证书已经过期，已无效；所以，carol仅获得sales组的访问权限。

以下启动ikev2/acert-fallback测试用例，注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests ikev2/acert-fallbackGuest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191030-1120-27[ ok ]  1 ikev2/acert-fallback: pre..test..postPassed : 1
Failed : 0The results are available in /srv/strongswan-testing/testresults/20191030-1120-27
or via the link http://192.168.0.150/testresults/20191030-1120-27Finished : 220191030-1120-33

由以上显示可知测试用例ikev2/acert-fallback的测试结果记录文件保存在目录：/srv/strongswan-testing/testresults/20191030-1120-27/ikev2/acert-fallback/中，这些文件记录了测试过程中虚拟主机carol和网关moon的各种状态信息和运行日志。测试拓扑如下：

carol配置

连接配置文件：strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.conf，内容如下。虚拟主机carol的IP地址为192.168.0.100，而moon网关的IP地址为192.168.0.1。

config setupconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1conn homeleft=PH_IP_CAROLleftcert=carolCert.pemleftid=carol@strongswan.orgleftfirewall=yesright=PH_IP_MOONrightid=@moon.strongswan.orgrightsubnet=10.1.0.0/16keyexchange=ikev2auto=add

StrongSwan配置文件：strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf，内容如下，指定需要加载的模块。

charon {load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}

另外，在本次测试中，还为carol主机提供了两个属性证书：carol-finance-expired.pem和carol-sales.pem。以下为前者的信息，可见其groups字段为finance，但是有效期已经过期。

$ cd strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/carol/etc/ipsec.d/acerts/
$
$ pki --print --type ac --in carol-finance-expired.pem   subject:  "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"issuer:   "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"validity:  not before Sep 14 08:37:52 2019, oknot after  Sep 15 08:37:52 2019, expired (45 days ago)serial:    65:cb:97:37:1d:53:3f:49hissuer:  "C=CH, O=strongSwan Project, CN=strongSwan Root CA"hserial:   01groups:    financeauthkey:  46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71

以下为属性证书carol-sales.pem的信息，其groups字段为sales，并且在有效期内。

$ pki --print --type ac --in carol-sales.pem subject:  "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"issuer:   "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"validity:  not before Sep 15 08:37:52 2019, oknot after  Sep 14 08:37:52 2027, ok (expires in 2875 days)serial:    33:bd:8a:19:d5:43:94:d3hissuer:  "C=CH, O=strongSwan Project, CN=strongSwan Root CA"hserial:   01groups:    salesauthkey:  46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71

moon网关配置

配置文件：strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.conf，内容如下。其中配置了两个连接：finance和sales，其中前者要求组为finance，可访问10.1.0.10/32网段，仅一个主机alice。后者，要求组为sales，可访问10.1.0.20/32网段，仅一个主机venus。

config setupconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1conn financeleft=PH_IP_MOONleftcert=moonCert.pemleftid=@moon.strongswan.orgleftsubnet=10.1.0.10/32leftfirewall=yesright=%anyrightid=*@strongswan.orgrightgroups=financekeyexchange=ikev2auto=addconn salesleft=PH_IP_MOONleftcert=moonCert.pemleftid=@moon.strongswan.orgleftsubnet=10.1.0.20/32leftfirewall=yesright=%anyrightgroups=saleskeyexchange=ikev2auto=add

moon网关使用的证书如下：

$ ls strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ -R   ipsec.d/aacerts/aaCert.pemipsec.d/private/aaKey.pem

以下为moon网关的证书，其颁发者为：strongSwan Root CA，而本身的CN为：strongSwan Attribute Authority。

$ pki --print --type x509 --in strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem   subject:  "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"issuer:   "C=CH, O=strongSwan Project, CN=strongSwan Root CA"validity:  not before Sep 14 08:37:52 2019, oknot after  Sep 14 08:37:52 2028, ok (expires in 3241 days)serial:    17flags:     CRL URIs:  http://crl.strongswan.org/strongswan.crlauthkeyId: 7e:a0:7b:77:a5:91:58:79:df:35:eb:4e:fc:0f:b6:b8:68:ae:a2:47subjkeyId: 46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71pubkey:    RSA 3072 bitskeyid:     b4:5c:07:1b:d6:cf:dc:68:7c:c9:2a:5d:ca:5d:47:ce:3f:27:9f:b1subjkey:   46:3b:e3:d4:fd:87:53:5e:5b:02:76:18:c9:b8:77:dd:c7:f9:b6:71

StrongSwan配置文件：strongswan-5.8.1/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf，内容如下，指定要加载的模块。

charon {load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
}

准备阶段

配置文件：strongswan-5.8.1/testing/tests/ikev2/acert-fallback/pretest.dat，内容如下。在预测试pre-test阶段，备份moon网关以及carol主机的iptables规则配置。启动strongswan。使用脚本expect-connection在moon网关和carol主机上检测名称为：finance，sales和home的连接是否建立。在carol主机上启动home子连接。

通过之前的介绍已经在carol主机以及moon网关的配置文件（etc/ipsec.conf）中看到了home和finance，sales连接的配置信息。

moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
moon::ipsec start
carol::ipsec start
moon::expect-connection finance
moon::expect-connection sales
carol::expect-connection home
carol::ipsec up home

测试阶段

配置文件：strongswan-5.8.1/testing/tests/ikev2/acert-fallback/evaltest.dat，内容如下。首先在carol主机检查到moon网关的连接状态，以及在moon网关上检测dave和carol的连接状态，前者应检查不到，后者carol的连接状态应为ESTABLISHED。其次，在moon网关上检测strongswan进程的日志信息，确认finance组验证失败。

carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::finance.*: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO
moon:: ipsec status 2> /dev/null::sales.*: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
moon::cat /var/log/daemon.log::constraint check failed: group membership to 'finance' required::YES

以下测试语句，在carol主机上ping主机alice和venus的IP地址，前者应没有响应；后者应能够收到回复。最后两行测试语句在moon网关检查tcpdump日志，确认ESP加密的ping报文。

carol::ping -c 1 -W 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::NO
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES

收尾阶段

配置文件：strongswan-5.8.1/testing/tests/ikev2/acert-fallback/posttest.dat，内容如下。停止carol主机和moon网关上的strongswan进程。恢复moon网关和carol主机上的iptables规则配置。最后删除测试中使用到的证书相关文件。

moon::ipsec stop
carol::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
carol::rm /etc/ipsec.d/acerts/carol-sales.pem
carol::rm /etc/ipsec.d/acerts/carol-finance-expired.pem
moon::rm /etc/ipsec.d/private/aaKey.pem
moon::rm /etc/ipsec.d/aacerts/aaCert.pem

测试结果文件默认都保存在目录：/srv/strongswan-testing/testresults/20191030-1120-27/ikev2/acert-fallback下，其中文件console.log 记录了整个的测试过程。文件carol.daemon.log和moon.daemon.log记录了charon-systemd主进程的日志。以下为moon主机的日志信息，可见carol的sales证书由于组与finance连接不匹配，转向使用sales连接：

 moon charon: 14[IKE] received attribute certificate issued by "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"moon charon: 14[CFG] looking for peer configs matching 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]moon charon: 14[CFG] selected peer config 'finance'moon charon: 14[CFG]   using certificate "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"moon charon: 14[CFG] verifying attribute certificate issued by "C=CH, O=strongSwan Project, CN=strongSwan Attribute Authority"moon charon: 14[CFG] constraint check failed: group membership to 'finance' requiredmoon charon: 14[CFG] selected peer config 'finance' unacceptable: non-matching authentication donemoon charon: 14[CFG] switching to peer config 'sales'

END