SWAN之ikev2协议crl-revoked配置测试

本测试主要验证远程用户carol和网关moon通过HTTP协议获取CRL证书，以及网关moon拒绝carol使用的已撤销证书的功能。保存CRL证书的HTTP服务器为：winnetou（IP地址：192.168.0.150）。本次测试拓扑如下：

carol主机配置

carol的配置文件：ikev2/crl-revoked/hosts/carol/etc/ipsec.conf，内容如下，注意其中setup段，strictcrlpolicy字段设置为yes，开启严格的crl检查。

config setupstrictcrlpolicy=yesconn %defaultikelifetime=60mkeylife=20mrekeymargin=3mkeyingtries=1conn homeleft=PH_IP_CAROLleftcert=carolCert.pemleftid=carol@strongswan.orgright=PH_IP_MOONrightsubnet=10.1.0.0/16rightid=@moon.strongswan.orgkeyexchange=ikev2auto=add

以下ipsec的秘钥文件，其中指定RSA私钥使用carolKey.pem文件，其默认目录为ikev2/crl-revoked/hosts/carol/etc/ipsec.d/private/。

$ cat ikev2/crl-revoked/hosts/carol/etc/ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file: RSA carolKey.pem

以下carol主机的证书文件内容，注意其中的serial number的值8，在撤销证书是，通过指定序号实现。

$ openssl x509 -in ikev2/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem -text -noout
Certificate:Data:Version: 3 (0x2)Serial Number: 8 (0x8)Signature Algorithm: sha256WithRSAEncryptionIssuer: C = CH, O = strongSwan Project, CN = strongSwan Root CAValidityNot Before: Sep 14 08:37:52 2019 GMTNot After : Sep 14 08:37:52 2027 GMTSubject: C = CH, O = strongSwan Project, OU = Research, CN = carol@strongswan.orgSubject Public Key Info:Public Key Algorithm: rsaEncryptionRSA Public-Key: (3072 bit)Modulus:...Exponent: 65537 (0x10001)X509v3 extensions:X509v3 Authority Key Identifier: keyid:7E:A0:7B:77:A5:91:58:79:DF:35:EB:4E:FC:0F:B6:B8:68:AE:A2:47X509v3 Subject Alternative Name: email:carol@strongswan.orgX509v3 CRL Distribution Points: Full Name:URI:http://crl.strongswan.org/strongswan.crlSignature Algorithm: sha256WithRSAEncryption...

carol的strongswan配置文件：ikev2/crl-revoked/hosts/carol/etc/strongswan.conf，内容如下，可见这里增加了revocation插件。

charon {load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}

网关moon的配置文件：ikev2/crl-revoked/hosts/moon/etc/ipsec.conf以及strongswan.conf配置文件，内容与以上carol主机的配置基本相同，不在列出。

测试准备阶段

配置文件：ikev2/crl-revoked/pretest.dat，内容为ipsec连接的启动语句。

moon::ipsec start
carol::ipsec start
moon::expect-connection rw
carol::expect-connection home
carol::ipsec up home

测试阶段

配置文件：ikev2/crl-revoked/evaltest.dat。以下测试语句检查moon网关和carol主机上rw和home连接的状态，本测试中无法建立。以及，在moon网关上strongswan进程的日志中确认证书被撤销的记录，在carol主机上确认strongswan进程日志中认证失败的记录。

moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO
carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO
moon:: cat /var/log/daemon.log::certificate was revoked::YES
carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES

以下为在moon网关上strongswan进程的日志文件的部分信息，首先由http服务器获取CRL证书strongswan.crl，再者验证CRL证书的有效性；最后，发现连接对端的证书已经被撤销，返回认证失败（AUTH_FAILED）消息。

moon charon: 11[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
moon charon: 11[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 11[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
moon charon: 11[CFG]   crl is valid: until Nov 15 03:32:58 2019
moon charon: 11[CFG] certificate was revoked on Sep 18 09:33:15 UTC 2019, reason: key compromise
moon charon: 11[IKE] no trusted RSA public key found for 'carol@strongswan.org'
moon charon: 11[IKE] peer supports MOBIKE
moon charon: 11[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

以上已经介绍了carol主机的证书序号为8，以下可见在CRL证书中，Revoked Certificates显示序号为8的证书已被撤销，原因是：Key Compromise，以上moon网关的strongswan进程日志中也可看到证书撤销的原因。

$ openssl crl -inform der -in strongswan.crl -text -noout
Certificate Revocation List (CRL):Version 2 (0x1)Signature Algorithm: sha256WithRSAEncryptionIssuer: C = CH, O = strongSwan Project, CN = strongSwan Root CALast Update: Oct 31 03:32:58 2019 GMTNext Update: Nov 15 03:32:58 2019 GMTCRL extensions:X509v3 Authority Key Identifier: keyid:AD:B3:64:FB:EA:A3:4E:B9:F2:74:E7:CD:F2:B1:F3:59:E7:90:33:B0X509v3 CRL Number: 3
Revoked Certificates:Serial Number: 08Revocation Date: Sep 18 09:33:15 2019 GMTCRL entry extensions:X509v3 CRL Reason Code: Key Compromise

报文交互过程如下：

strongswan测试版本： 5.8.1

END