SWAN测试用例af-alg/rw-cert

本测试中远程用户（roadwarrior） carol与网关moon使用内核的加密套接口af_alg（代码位于内核文件crypto/af_alg.c）进行所有的对称加密和哈希计算，另外远程用户dave使用strongswan默认的加密插件：aes、des、sha1、sha2、md5或gmp进行相应操作。

远程用户carol和dave分别建立到网关moon的连接，认证使用X.509证书方式。连接成功建立之后，carol和dave分别ping网关moon之后的虚拟主机alice，以验证连通性。

以下启动af-alg/rw-cert测试用例，注意在启动之前需要执行start-testing脚本开启测试环境。

$ cd strongswan-5.8.1/testing
$
$ sudo ./do-tests af-alg/rw-cert
Guest kernel : 5.2.11
strongSwan   : 5.8.1
Date         : 20191028-0639-21[ ok ]  1 af-alg/rw-cert: pre..test..postPassed : 1
Failed : 0The results are available in /srv/strongswan-testing/testresults/20191028-0639-21
or via the link http://192.168.0.150/testresults/20191028-0639-21Finished : 20191028-0639-33

以下为测试用例af-alg/rw-cert的测试结果记录文件。

$ ls /srv/strongswan-testing/testresults/20191028-0639-21/af-alg/rw-cert/
carol.auth.log             carol.swanctl.conf   dave.ipsec.sql            dave.swanctl.stats    moon.swanctl.authorities
carol.daemon.log           carol.swanctl.conns  dave.iptables             index.html            moon.swanctl.certs
carol.ip.policy            carol.swanctl.pols   dave.iptables-save        moon.auth.log         moon.swanctl.conf
carol.ip.route             carol.swanctl.pools  dave.strongswan.conf      moon.daemon.log       moon.swanctl.conns
carol.ip.state             carol.swanctl.sas    dave.swanctl.algs         moon.ip.policy        moon.swanctl.pols
carol.ipsec.sql            carol.swanctl.stats  dave.swanctl.authorities  moon.ip.route         moon.swanctl.pools
carol.iptables             console.log          dave.swanctl.certs        moon.ip.state         moon.swanctl.sas
carol.iptables-save        dave.auth.log        dave.swanctl.conf         moon.ipsec.sql        moon.swanctl.stats
carol.strongswan.conf      dave.daemon.log      dave.swanctl.conns        moon.iptables         moon.tcpdump.log
carol.swanctl.algs         dave.ip.policy       dave.swanctl.pols         moon.iptables-save
carol.swanctl.authorities  dave.ip.route        dave.swanctl.pools        moon.strongswan.conf
carol.swanctl.certs        dave.ip.state        dave.swanctl.sas          moon.swanctl.algs

以上测试结果文件记录了测试过程中虚拟主机carol和dave，以及网关moon的各种状态信息和运行日志。测试拓扑如下：

测试配置文件

配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/test.conf，内容如下。VIRTHOSTS变量定义了本测试用来需要使用的的虚拟主机列表。DIAGRAM指定了测试报告中使用的测试拓扑图，如上所示。变量IPSECHOSTS定义了测试中参与IPSec隧道建立的虚拟主机名称。SWANCTL为1表明使用命令行工具swanctl与主进程charon通信，而不是ipsec命令。

VIRTHOSTS="alice moon carol winnetou dave"# Corresponding block diagram
#
DIAGRAM="a-m-c-w-d.png"# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"# charon controlled by swanctl
#
SWANCTL=1

carol配置

连接配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/carol/etc/swanctl/swanctl.conf，内容如下。虚拟主机carol的IP地址为192.168.0.100，而moon网关的IP地址为192.168.0.1。

另外，此连接（名称home）定义了本次测试使用的两个proposals。分别为IPSec使用的esp_proposals，其值为3des-sha1-modp1536。以及IKE的proposal，值为3des-sha1-modp1536（三部分分别为加密算法，验证算法和Diffie-Hellman组）。version等于2表明使用IKEv2版本。

 connections {home {local_addrs  = 192.168.0.100remote_addrs = 192.168.0.1local {auth = pubkeycerts = carolCert.pemid = carol@strongswan.org}remote {auth = pubkeyid = moon.strongswan.org}children {home {remote_ts = 10.1.0.0/16updown = /usr/local/libexec/ipsec/_updown iptablesesp_proposals = 3des-sha1-modp1536}}version = 2proposals = 3des-sha1-modp1536}}

StrongSwan配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/carol/etc/strongswan.conf，内容如下，指定需要加载的模块。注意这里的af-alg模块为本测试中测试模块。

 swanctl {load = pem pkcs1 x509 revocation constraints pubkey openssl random}charon-systemd {load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown viciintegrity_test = yescrypto_test {on_add = yes}}

其它配置文件（位于全局测试目录下）,这些文件在测试准备阶段将拷贝到测试虚拟主机上，参见文件：strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录，其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件。另外三个目录为ipsec.d，network和swanctl，其中ipsec.d和swanctl分别保存各自的证书文件，本测试用例中使用swanctl工具，参见文件：tests/af-alg/rw-cert/test.conf中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/carol/ hosts/carol/etc/hostname
hosts/carol/etc/ipsec.conf
hosts/carol/etc/ipsec.secrets
hosts/carol/etc/strongswan.conf
hosts/carol/etc/ipsec.d/ipsec.sql
hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/carol/etc/ipsec.d/certs/carolCert.pem
hosts/carol/etc/ipsec.d/private/carolKey.pem
hosts/carol/etc/network/interfaces
hosts/carol/etc/swanctl/rsa/carolKey.pem
hosts/carol/etc/swanctl/x509/carolCert.pem
hosts/carol/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces，用于设置alice主机的网络接口eth0的IP地址信息。

 auto loiface lo inet loopbackauto eth0iface eth0 inet staticaddress 192.168.0.100netmask 255.255.255.0broadcast 192.168.0.255gateway 192.168.0.254iface eth0 inet6 staticaddress fec0::10netmask 16

dave主机配置

连接配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/dave/etc/swanctl/swanctl.conf，内容如下。虚拟主机dave的IP地址为192.168.0.200，而moon网关的IP地址为192.168.0.1。

另外，此连接（名称home）定义了本次测试使用的两个proposals。分别为IPSec使用的esp_proposals，其值为aes128-sha256-modp3072。以及IKE的proposal，值为aes128-sha256-modp3072（三部分分别为加密算法，验证算法和Diffie-Hellman组）。version等于2表明使用IKEv2版本。

connections {home {local_addrs  = 192.168.0.200remote_addrs = 192.168.0.1 local {auth = pubkeycerts = daveCert.pemid = dave@strongswan.org}remote {auth = pubkeyid = moon.strongswan.org }children {home {remote_ts = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptablesesp_proposals = aes128-sha256-modp3072}}version = 2proposals = aes128-sha256-modp3072}
}

StrongSwan配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/dave/etc/strongswan.conf，内容如下，指定需要加载的模块。注意与carol主机不同，这里没有加载af-alg模块，而是使用strongswan插件aes des sha1 sha2 md5。


swanctl {load = pem pkcs1 x509 revocation constraints pubkey openssl random
}charon-systemd {load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp x509 revocation curl hmac xcbc ctr ccm gcm kernel-netlink socket-default updown viciintegrity_test = yescrypto_test {on_add = yes}
}

$ ls -R strongswan-5.8.1/testing/hosts/dave/ hosts/dave/etc/hostname
hosts/dave/etc/ipsec.conf
hosts/dave/etc/ipsec.secrets
hosts/dave/etc/strongswan.conf
hosts/dave/etc/ipsec.d/ipsec.sql
hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/dave/etc/ipsec.d/certs/daveCert.pem
hosts/dave/etc/ipsec.d/private/daveKey.pem
hosts/dave/etc/network/interfaces
hosts/dave/etc/swanctl/rsa/daveKey.pem
hosts/dave/etc/swanctl/x509/daveCert.pem
hosts/dave/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces，用于设置dave主机的网络接口eth0的IP地址信息。

auto lo
iface lo inet loopbackauto eth0
iface eth0 inet staticaddress 192.168.0.200netmask 255.255.255.0broadcast 192.168.0.255gateway 192.168.0.254
iface eth0 inet6 staticaddress fec0::20netmask 16

moon网关配置

配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-alg/hosts/moon/etc/swanctl/swanctl.conf，内容如下。注意网关moon的连接配置，每一种proposals都配置了两个。rw连接的proposals和子连接net的esp_proposals都设置为：aes128-sha256-modp3072和3des-sha1-modp1536，前者用于与主机dave建立连接；后者用于与主机carol建立连接。IKE使用IKEv2版。

作为网关，其事先并不知晓连接对端的IP地址信息，此处只有local_addrs的配置。

connections {rw {local_addrs  = 192.168.0.1local {auth = pubkeycerts = moonCert.pemid = moon.strongswan.org}remote {auth = pubkey}children {net {local_ts  = 10.1.0.0/16 updown = /usr/local/libexec/ipsec/_updown iptablesesp_proposals = aes128-sha256-modp3072,3des-sha1-modp1536}}version = 2proposals = aes128-sha256-modp3072,3des-sha1-modp1536 }
}

StrongSwan配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/hosts/moon/etc/strongswan.conf，内容如下，指定要加载的模块。与虚拟主机carol相同，moon网关使用af-alg模块，即使用内核提供的对称加密接口。

swanctl {load = pem pkcs1 x509 revocation constraints pubkey openssl random
}charon-systemd {load = random nonce test-vectors pem pkcs1 af-alg gmp x509 revocation curl ctr ccm gcm kernel-netlink socket-default updown viciintegrity_test = yescrypto_test {on_add = yes}
}

其它配置文件（位于全局测试目录下）,这些文件在测试准备阶段将拷贝到测试虚拟主机上，参见文件：strongswan-5.8.1/testing/scripts/load-testconfig。配置文件分成4个目录，其中etc目录下的文件主要是主机名文件hostname、以及ipsec和strongswan的配置文件，还有rc.local文件。另外三个目录为ipsec.d，network和swanctl，其中ipsec.d和swanctl分别保存各自的证书文件，本测试用例中使用swanctl工具，参见文件：tests/af-alg/rw-cert/test.conf，中的变量SWANCTL。

$ ls -R strongswan-5.8.1/testing/hosts/moon/ hosts/moon/etc/hostname
hosts/moon/etc/ipsec.conf
hosts/moon/etc/ipsec.secrets
hosts/moon/etc/rc.local
hosts/moon/etc/strongswan.conf
hosts/moon/etc/ipsec.d/ipsec.sql
hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
hosts/moon/etc/ipsec.d/certs/moonCert.pem
hosts/moon/etc/ipsec.d/private/moonKey.pem
hosts/moon/etc/network/interfaces
hosts/moon/etc/swanctl/rsa/moonKey.pem
hosts/moon/etc/swanctl/x509/moonCert.pem
hosts/moon/etc/swanctl/x509ca/strongswanCert.pem

network子目录下的文件interfaces，用于设置moon主机的两个网络接口eth0和eth1的IP地址信息。

 auto loiface lo inet loopbackauto eth0iface eth0 inet staticaddress 192.168.0.1netmask 255.255.255.0broadcast 192.168.0.255gateway 192.168.0.254iface eth0 inet6 staticaddress fec0::1netmask 16auto eth1iface eth1 inet staticaddress 10.1.0.1netmask 255.255.0.0broadcast 10.1.255.255iface eth1 inet6 staticaddress fec1::1netmask 16

准备阶段

配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-alg/pretest.dat，内容如下。在预测试pre-test阶段，备份moon、carol和dave主机的iptables配置。启动strongswan。使用脚本expect-connection检测名称为net的连接（carol和dave主机上为home）是否建立，超过5秒钟检测不到，打印失败信息。swanctl在carol和dave主机上分别初始化一个名称为home的子连接。

通过之前的介绍已经在carol和dave主机，以及moon网关的各自配置文件（/etc/swanctl/swanctl.conf）中看到了home和net的配置信息。

moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
moon::systemctl start strongswan
carol::systemctl start strongswan
dave::systemctl start strongswan
moon::expect-connection net
carol::expect-connection home
carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
dave::swanctl --initiate --child home 2> /dev/null

脚本expect-connection的内容如下。如果/etc/strongswan.conf文件中加载了stroke模块，或者DAEMON_NAME变量有值，将使用ipsec statusall命令查看连接信息；否则使用swanctl --list-conns查看。由以上介绍的文件strongswan.conf可知，并未加载stroke模块。使用swanctl查看连接信息，并在moon主机上检查是否存在名称为net的连接，在carol和dave主机上检查是否存在home连接。默认的检测时长为5秒，可在命令行中指定此值。

secs=$2
[ ! $secs ] && secs=5cmd="swanctl --list-conns"
grep 'load.*stroke' /etc/strongswan.conf >/dev/null
if [ $? -eq 0 -o -n "$DAEMON_NAME" ]; thencmd="ipsec statusall"
filet steps=$secs*10
for i in `seq 1 $steps`
do$cmd 2>&1 | grep ^[[:space:]]*$1: >/dev/null[ $? -eq 0 ] && exit 0sleep 0.1
doneecho "Connection '$1' not available after $secs second(s)"
exit 1

测试阶段

配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/evaltest.dat，内容如下。在第一行中，SSH登录到carol主机执行ping命令，并且期待alice返回的信息符合pattern：（128 bytes from PH_IP_ALICE: icmp_.eq=1）。其中PH_IP_ALICE为alice主机的IP地址。第二行测试语句，与第一行类似，此处登录到dave主机执行ping主机alice的操作。

carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_1536.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES

第三行测试语句登录到carol主机中，使用命令swanctl --list-sas --raw显示安全关联SA的信息，在其中匹配随后的模式pattern字段，这个比较长。主要包括连接名称：home；状态：ESTABLISHED；本地地址：192.168.0.100:4500；ID信息carol@strongswan.org；远端地址信息：192.168.0.1:4500。远端IDmoon.strongswan.org。加密算法：3DES_CBC；验证算法：HMAC_SHA1_96；dh-group：MODP_1536等等。可见与以上rw-alg/hosts/carol/etc/swanctl/swanctl.conf中的配置相符。

子连接的SA匹配信息有，协议protocol字段：ESP；加密算法encr-alg字段：3DES_CBC；以及本地和远端流量选择符（ts），与以上文件swanctl.conf中的child连接配置相符。以下为carol虚拟主机执行swanctl --list-sas的显示信息，可见与测试文件evaltest.dat的第二行完全匹配。

home: #1, ESTABLISHED, IKEv2, 49db35646f699012_i* eab573efbb8c04a3_rlocal  'carol@strongswan.org' @ 192.168.0.100[4500]remote 'moon.strongswan.org' @ 192.168.0.1[4500]3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536established 3s ago, rekeying in 13888shome: #1, reqid 1, INSTALLED, TUNNEL, ESP:3DES_CBC/HMAC_SHA1_96installed 3s ago, rekeying in 3261s, expires in 3957sin  c581b081,     84 bytes,     1 packets,     3s agoout c96186f4,     84 bytes,     1 packets,     3s agolocal  192.168.0.100/32remote 10.1.0.0/16

第四行测试语句与第三行类似，此处登录的dave主机上执行swanctl --list-sas --raw命令检查输出结果，进行匹配操作。以下为dave虚拟主机上执行swanctl命令的输出：

home: #1, ESTABLISHED, IKEv2, 623e88f6d5f105df_i* 740a8cf8e50d48e0_rlocal  'dave@strongswan.org' @ 192.168.0.200[4500]remote 'moon.strongswan.org' @ 192.168.0.1[4500]AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072established 4s ago, rekeying in 13234shome: #1, reqid 1, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128installed 4s ago, rekeying in 3236s, expires in 3956sin  cc0b2e38,     84 bytes,     1 packets,     3s agoout c77009a8,     84 bytes,     1 packets,     3s agolocal  192.168.0.200/32remote 10.1.0.0/16

第五行和第六行测试语句，都在moon网关上执行，这里分别使用命令swanctl --list-sas --ike-id 1 --raw和swanctl --list-sas --ike-id 2 --raw显示IKE ID为1和2的SA信息。由于在pretest.dat文件中首先执行的carol主机的测试，其在moon网关上对于的IKE ID应为1。dave主机对应的IKE ID为2。moon网关上执行swanctl --list-conns命令列出所有SA的结果如下显示。

rw: #2, ESTABLISHED, IKEv2, 623e88f6d5f105df_i 740a8cf8e50d48e0_r*local  'moon.strongswan.org' @ 192.168.0.1[4500]remote 'dave@strongswan.org' @ 192.168.0.200[4500]AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072established 3s ago, rekeying in 13524snet: #2, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-128/HMAC_SHA2_256_128installed 3s ago, rekeying in 3403s, expires in 3957sin  c77009a8,     84 bytes,     1 packets,     3s agoout cc0b2e38,     84 bytes,     1 packets,     3s agolocal  10.1.0.0/16remote 192.168.0.200/32
rw: #1, ESTABLISHED, IKEv2, 49db35646f699012_i eab573efbb8c04a3_r*local  'moon.strongswan.org' @ 192.168.0.1[4500]remote 'carol@strongswan.org' @ 192.168.0.100[4500]3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536established 3s ago, rekeying in 13173snet: #1, reqid 1, INSTALLED, TUNNEL, ESP:3DES_CBC/HMAC_SHA1_96installed 3s ago, rekeying in 3408s, expires in 3957sin  c96186f4,     84 bytes,     1 packets,     3s agoout c581b081,     84 bytes,     1 packets,     3s agolocal  10.1.0.0/16remote 192.168.0.100/32

最后4行测试语句都是在moon网关上执行的，这里的tcpdump命令并不执行，而是检查在以上的测试过程中后台tcpdump名称输出到文件/tmp/tcpdump.log中的日志信息，确认carol与moon，以及dave和moon之间的ESP加密的ping报文是否正常。

 23 06:39:34.565750 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc96186f4,seq=0x1), length 11624 06:39:34.565832 IP carol.strongswan.org > alice.strongswan.org: ICMP echo request, id 4804, seq 1, length 6425 06:39:34.566274 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc581b081,seq=0x1), length 11626 06:39:34.605771 IP dave.strongswan.org > moon.strongswan.org: ESP(spi=0xc77009a8,seq=0x1), length 13627 06:39:34.605846 IP dave.strongswan.org > alice.strongswan.org: ICMP echo request, id 4228, seq 1, length 6428 06:39:34.609893 IP moon.strongswan.org > dave.strongswan.org: ESP(spi=0xcc0b2e38,seq=0x1), length 136

防火墙规则

以下为测试过程中，在虚拟主机carol的filter表中加入的规则，规则的配置由swanctl.conf文件中指定的updown脚本完成（/usr/local/libexec/ipsec/_updown iptables）。在hook点INPUT上，允许UDP源和目的端口同时为500或者4500的报文，前者为IKE协议端口，后者为NAT-T使用的端口号，另外允许ESP和AH协议的报文通过，由于此测试使用ESP协议，以下AH规则的计数为空。在INPUT点上，源IP为10.1.0.0/16，目的IP为192.168.0.100的报文匹配入方向的IPSEC策略，reqid为1，协议号为50（ESP）。

在hook点OUTPUT上源IP为192.168.0.100，目的IP为10.1.0.0/16的报文匹配出方向的IPSEC策略，reqid为1，协议号为50（ESP）。

Chain INPUT (policy DROP 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         1    84 ACCEPT     all  --  eth0   *       10.1.0.0/16          192.168.0.100        policy match dir in pol ipsec reqid 1 proto 501   136 ACCEPT     esp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     ah   --  eth0   *       0.0.0.0/0            0.0.0.0/0           1   455 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:500 dpt:5002  1944 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            udp spt:4500 dpt:4500       Chain OUTPUT (policy DROP 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         1    84 ACCEPT     all  --  *      eth0    192.168.0.100        10.1.0.0/16          policy match dir out pol ipsec reqid 1 proto 501   136 ACCEPT     esp  --  *      eth0    0.0.0.0/0            0.0.0.0/0           0     0 ACCEPT     ah   --  *      eth0    0.0.0.0/0            0.0.0.0/0           1   422 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp spt:500 dpt:5002  2008 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0            udp spt:4500 dpt:4500

以下为在主机carol上使用ip -s xfrm policy显示的IPSec策略：

src 192.168.0.100/32 dst 10.1.0.0/16 uid 0dir out action allow index 433 priority 375423 ptype main share any flag  (0x00000000)lifetime config:limit: soft (INF)(bytes), hard (INF)(bytes)limit: soft (INF)(packets), hard (INF)(packets)expire add: soft 0(sec), hard 0(sec)expire use: soft 0(sec), hard 0(sec)lifetime current:0(bytes), 0(packets)add 2019-10-28 06:39:38 use 2019-10-28 06:39:38tmpl src 192.168.0.100 dst 192.168.0.1proto esp spi 0xc96186f4(3378611956) reqid 1(0x00000001) mode tunnellevel required share anyenc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.1.0.0/16 dst 192.168.0.100/32 uid 0dir in action allow index 416 priority 375423 ptype main share any flag  (0x00000000)lifetime config:limit: soft (INF)(bytes), hard (INF)(bytes)limit: soft (INF)(packets), hard (INF)(packets)expire add: soft 0(sec), hard 0(sec)expire use: soft 0(sec), hard 0(sec)lifetime current:0(bytes), 0(packets)add 2019-10-28 06:39:38 use 2019-10-28 06:39:38tmpl src 192.168.0.1 dst 192.168.0.100proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnellevel required share anyenc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

虚拟主机dave的iptables配置与以上类似。但是网关moon上配置略有不同，其IPSEC策略配置在hook点FORWORD上。

Chain FORWARD (policy DROP 0 packets, 0 bytes)pkts bytes target     prot opt in     out     source               destination         1    84 ACCEPT     all  --  eth0   *       192.168.0.200        10.1.0.0/16          policy match dir in pol ipsec reqid 2 proto 501    84 ACCEPT     all  --  *      eth0    10.1.0.0/16          192.168.0.200        policy match dir out pol ipsec reqid 2 proto 501    84 ACCEPT     all  --  eth0   *       192.168.0.100        10.1.0.0/16          policy match dir in pol ipsec reqid 1 proto 501    84 ACCEPT     all  --  *      eth0    10.1.0.0/16          192.168.0.100        policy match dir out pol ipsec reqid 1 proto 50

收尾阶段

配置文件：strongswan-5.8.1/testing/tests/af-alg/rw-cert/posttest.dat，内容如下。其中第一行断开carol虚拟主机上名称为home的连接。第二行断开dave主机上名称为home的连接。第三、四、五行终止carol、dave和moon网关上的StrongSwan进程。最后三行恢复moon网关以及carol和dave主机上的iptables规则。

carol::swanctl --terminate --ike home
dave::swanctl --terminate --ike home
carol::systemctl stop strongswan
dave::systemctl stop strongswan
moon::systemctl stop strongswan
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush

测试结果文件默认都保存在目录：/srv/strongswan-testing/testresults/20191028-0639-21/af-alg/rw-cert/下，其中文件console.log 记录了整个的测试过程。文件carol.daemon.log、dave.daemon.log和moon.daemon.log文件记录了各自主机上charon-systemd主进程的日志。完整的测试结果文件列表见本文开始部分。下图为IKEv2报文的交互报文。

附件为tcpdump抓取到的报文。

ike-af-alg.pcap

END