当前位置:   article > 正文

SWAN之ikev2协议multi-auth-rsa-eap-sim-id配置测试_leftauth=cert

leftauth=cert

本测试主要验证多重认证功能,远程用户carol,dave与网关mooon建立连接时,首先使用IKE RSA签名和相关证书进行认证;完成之后,再进行EAP-SIM认证。在测试中,由alice主机充当radius服务器,对于carol,使用文件/etc/ipsec.d/triplets.dat中的数据模拟物理SIM卡。网关moon负责转发所有的EAP消息到Radius服务器,alice同样使用定义好的triplets.dat文件模拟SIM认证数据。本次测试拓扑如下:

在这里插入图片描述

主机配置

carol的配置文件:ikev2/multi-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf,内容如下。这里这里了多重验证,首先leftauth指定了pubkey验证,再者leftauth2字段指定了EAP验证,eap_identity字段指定esp标识:228060123456001,leftid2字段指定二次验证使用的ID:228060123456001@strongswan.org。

conn home
        left=PH_IP_CAROL
        leftfirewall=yes
        leftauth=pubkey
        leftid=carol@strongswan.org
        leftcert=carolCert.pem
        leftauth2=eap
        leftid2=228060123456001@strongswan.org
        eap_identity=228060123456001
        right=PH_IP_MOON
        rightsubnet=10.1.0.0/16
        rightauth=pubkey
        rightid=@moon.strongswan.org
        auto=add
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14

carol的配置文件:ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat 用于模拟SIM卡。第一个字段为用户ID;第二个字段为RAND,由基站发送给移动端(手机)的128bit的随机数;第三个字段SRES,为终端发送给基站的32bit长响应值;最后字段Kc,为64bit长的秘钥。

228060123456001,30000000000000000000000000000000,30112233,305566778899AABB
228060123456001,31000000000000000000000000000000,31112233,315566778899AABB
228060123456001,32000000000000000000000000000000,32112233,325566778899AABB
  • 1
  • 2
  • 3

carol的配置文件:ikev2/multi-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf,内容如下。这里加载本次测试需要使用到的eap-sim,eap-sim-file和eap-identity等插件。

# /etc/strongswan.conf - strongSwan configuration file

charon {
  load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
}
  • 1
  • 2
  • 3
  • 4
  • 5

主机dave的配置与carol基本相同,区别在于,在ipsec.conf配置文件中,dave的eap_identify值为228060123456002,leftid2等于228060123456002@strongswan.org。另外,两者的triplets.dat文件不同,dave的内容如下:

228060123456002,33000000000000000000000000000000,33112244,335566778899AABB
228060123456002,34000000000000000000000000000000,34112244,345566778899AABB
228060123456002,35000000000000000000000000000000,35112244,355566778899AABB
  • 1
  • 2
  • 3

网关配置

moon网关的配置文件:ikev2/multi-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf,内容如下。注意其rightauth2字段指定了值eap-radius,将对远程用户进行额外的eap认证。

conn rw-mult
        left=PH_IP_MOON
        leftsubnet=10.1.0.0/16
        leftfirewall=yes
        leftauth=pubkey
        leftid=@moon.strongswan.org
        leftcert=moonCert.pem
        right=%any
        rightauth=pubkey
        rightid=*@strongswan.org
        rightauth2=eap-radius
        eap_identity=%any
        auto=add
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13

moon网关的配置文件:ikev2/multi-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf,内容如下。此处需要加载测试使用到的eap-radius和eap-identity等插件。另外,在eap-radius段中配置radius服务器的地址及访问秘钥。

charon {
  load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown

  plugins {
    eap-radius {
      secret = gv6URkSs
      server = PH_IP_ALICE
    }
  }
}
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10

Radius服务器

本次测试使用alice主机作为radius服务器,其地址为10.1.0.10。配置文件ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users 中设置了两个SIM认证的用户:228060123456001和228060123456002,分别对应carol和dave。

对于dave主机,其EAP-Sim-SRES1/2/3的值为:0x33112233、0x34112233和0x35112233,与dave主机的配置文件triplets.dat中定义的值都不相同,其认证将失败。

228060123456001 EAP-Type := SIM, EAP-Sim-RAND1 := 0x30000000000000000000000000000000, EAP-Sim-SRES1 := 0x30112233, EAP-Sim-KC1 := 0x305566778899AABB, EAP-Sim-RAND2 := 0x31000000000000000000000000000000, EAP-Sim-SRES2 := 0x31112233, EAP-Sim-KC2 := 0x315566778899AABB, EAP-Sim-RAND3 := 0x32000000000000000000000000000000, EAP-Sim-SRES3 := 0x32112233, EAP-Sim-KC3 := 0x325566778899AABB
228060123456002 EAP-Type := SIM, EAP-Sim-RAND1 := 0x33000000000000000000000000000000, EAP-Sim-SRES1 := 0x33112233, EAP-Sim-KC1 := 0x335566778899AABB, EAP-Sim-RAND2 := 0x34000000000000000000000000000000, EAP-Sim-SRES2 := 0x34112233, EAP-Sim-KC2 := 0x345566778899AABB, EAP-Sim-RAND3 := 0x35000000000000000000000000000000, EAP-Sim-SRES3 := 0x35112233, EAP-Sim-KC3 := 0x355566778899AABB
  • 1
  • 2

测试准备阶段

配置文件:ikev2/multi-auth-rsa-eap-sim-id/pretest.dat,内容为通常的ipsec连接的启动语句。另外需要注意的是启用alice主机上的freeradius进程,用作radius服务器。

alice::freeradius
  • 1

测试阶段

配置文件:ikev2/multi-auth-rsa-eap-sim-id/evaltest.dat内容如下。在确认carol主机和moon网关连接建立之后,检查strongswan进程日志中的连接信息,确认RSA验证和EAP-SIM验证都成功完成。然后在主机carol上使用ping命令测试到alice主机的连通性。

moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES
moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES
moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9

以下为moon网关上strongswan进程日志,moon接收到了carol在IKE_AUTH报文中发送的AUTH_FOLLOWS载荷,表示支持多重认证,第一重RSA认证成功。

 moon charon: 11[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) N(AUTH_FOLLOWS) ]
 moon charon: 11[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
 moon charon: 11[IKE] received end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
 moon charon: 11[CFG] certificate status is good
 moon charon: 11[CFG]   reached self-signed root ca with a path length of 0
 moon charon: 11[IKE] authentication of 'carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6

此后,moon网关又接收到carol发送的第二次认证的报文,其中仅包含IDi,其值为ipsec.conf文件中使用leftid2配置的228060123456001@strongswan.org。之后,moon网关向carol请求了eap_identity信息,carol回复了值228060123456001(IKE_AUTH request 3消息)。之后moon网关开始在radius服务器alice和carol用户之后转发EAP/Radius认证报文,认证成功之后,moon回复carol主机完整的建立子连接的报文。

moon charon: 12[NET] received packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (112 bytes)
moon charon: 12[ENC] parsed IKE_AUTH request 2 [ IDi ]
moon charon: 12[IKE] initiating EAP_IDENTITY method (id 0x00)
moon charon: 12[ENC] generating IKE_AUTH response 2 [ EAP/REQ/ID ]
moon charon: 13[ENC] parsed IKE_AUTH request 3 [ EAP/RES/ID ]
moon charon: 13[IKE] received EAP identity '228060123456001'
moon charon: 13[CFG] sending RADIUS Access-Request to server '10.1.0.10'
moon charon: 13[CFG] received RADIUS Access-Challenge from server '10.1.0.10'
moon charon: 13[IKE] initiating EAP_SIM method (id 0xBC)
moon charon: 13[ENC] generating IKE_AUTH response 3 [ EAP/REQ/SIM ]
moon charon: 14[ENC] parsed IKE_AUTH request 4 [ EAP/RES/SIM ]
moon charon: 14[CFG] sending RADIUS Access-Request to server '10.1.0.10'
moon charon: 14[CFG] received RADIUS Access-Challenge from server '10.1.0.10'
moon charon: 14[ENC] generating IKE_AUTH response 4 [ EAP/REQ/SIM ]
moon charon: 15[ENC] parsed IKE_AUTH request 5 [ EAP/RES/SIM ]
moon charon: 15[CFG] sending RADIUS Access-Request to server '10.1.0.10'
moon charon: 15[CFG] received RADIUS Access-Accept from server '10.1.0.10'
moon charon: 15[IKE] RADIUS authentication of '228060123456001' successful
moon charon: 15[IKE] EAP method EAP_SIM succeeded, MSK established
moon charon: 15[ENC] generating IKE_AUTH response 5 [ EAP/SUCC ]
moon charon: 16[ENC] parsed IKE_AUTH request 6 [ AUTH ]
moon charon: 16[IKE] authentication of '228060123456001@strongswan.org' with EAP successful
moon charon: 16[IKE] authentication of 'moon.strongswan.org' (myself) with EAP
moon charon: 16[IKE] IKE_SA rw-mult[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.100[228060123456001@strongswan.org]
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24

认证报文交互流程如下,其与以上的moon日志相对应:

           |---------|                             |---------|                                  |---------|
           |  carol  |                             |   moon  |                                  |  alice  |
           |---------|                             |---------|                                  |---------|
                |                                       |                                            |
                |                                       |                                            |
  IKE_SA_INIT   |-------------------------------------->|                                            |
   MID=00       |<--------------------------------------|                                            |
                |                                       |                                            |
                |        ANOTHER_AUTH_FOLLOWS           |                                            |
 IKE_AUTH |---- |-------------------------------------->|                                            |
   MID=01 |---- |<--------------------------------------|                                            |
                |         no TS SA payload              |                                            |
                |                                       |                                            |
                |  IDi=228060123456001@strongswan.org   |                                            |
 IKE_AUTH |---- |-------------------------------------->|                                            |
   MID=02 |     |    (EAP req in ISAKMP) identity       |                                            |
          |---- |<--------------------------------------|                                            |
                |                                       |                                            |
                |    (EAP resp)(id 228060123456001)     |    Radius Access-Request(id=149)           |
          |---- |-------------------------------------->|     (IDi | CSID = 192.168.1.100)           |
          |     |                                       |------------------------------------------->|
   MID=03 |     |                                       |      Access-Challenge(id=149)              |
          |     |                                       |      (VERSION_LIST & FULLAUTH_ID)          |
          |     |  EAP Req (VERSION_LIST & FULLAUTH_ID) |<-------------------------------------------|
          |---- |<--------------------------------------|                                            |
                |                                       |                                            |
                |  EAP Resp (SELECTED_VERSION(0001) &   |                                            |
                |        IDENTITY 228060123456001)      | Access-Request(150)(SELECTED_VERSION(0001) |
          |---- |-------------------------------------->|        & IDENTITY 228060123456001)         |
          |     |                                       |------------------------------------------->|
   MID=04 |     |                                       |   Radius  Access-Challenge(id=150)         |  RAND值:
          |     |                                       |           (AT_RAND & AT_MAC)               |  EAP-Sim-RAND1/2/3
          |     |     EAP Req (AT_RAND & AT_MAC)        |<-------------------------------------------|
          |---- |<--------------------------------------|                                            |
                |                                       |                                            |
                |                                       |                                            |
                |     EAP Resp (AT_MAC)                 |                                            |
          |---- |-------------------------------------->|       Access-Request(151) (AT_MAC)         |
          |     |                                       |------------------------------------------->|
   MID=05 |     |                                       |         Access-Accept(151)                 |
          |     |     EAP Success                       |<-------------------------------------------|
          |---- |<--------------------------------------|                                            |
                |                                       |                                            |
                |                                       |                                            |
                |     Req (AUTH Payload)                |                                            |
          |---- |-------------------------------------->|                                            |
   MID=06 |     |     Resp (AUTH/SA/TSi/TSr/...)        |                                            |
          |---- |<--------------------------------------|                                            |
                |                                       |                                            |
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49

主机carol上的strongswan进程日志,反应了其交互过程中的处理流程,日志中request或者response字符串后面的数字表示MID值:

carol charon: 13[ENC] generating IKE_AUTH request 2 [ IDi ]
carol charon: 13[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (112 bytes)
carol charon: 15[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
carol charon: 15[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/ID ]
carol charon: 15[IKE] server requested EAP_IDENTITY (id 0x00), sending '228060123456001'
carol charon: 15[ENC] generating IKE_AUTH request 3 [ EAP/RES/ID ]
carol charon: 15[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (96 bytes)
carol charon: 16[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (96 bytes)
carol charon: 16[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/SIM ]
carol charon: 16[IKE] server requested EAP_SIM authentication (id 0xBC)
carol charon: 16[ENC] generating IKE_AUTH request 4 [ EAP/RES/SIM ]
carol charon: 16[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (128 bytes)
carol charon: 05[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (160 bytes)
carol charon: 05[ENC] parsed IKE_AUTH response 4 [ EAP/REQ/SIM ]
carol charon: 05[ENC] generating IKE_AUTH request 5 [ EAP/RES/SIM ]
carol charon: 05[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (112 bytes)
carol charon: 06[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
carol charon: 06[ENC] parsed IKE_AUTH response 5 [ EAP/SUCC ]
carol charon: 06[IKE] EAP method EAP_SIM succeeded, MSK established
carol charon: 06[IKE] authentication of '228060123456001@strongswan.org' (myself) with EAP
carol charon: 06[ENC] generating IKE_AUTH request 6 [ AUTH ]
carol charon: 06[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (112 bytes)
carol charon: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (288 bytes)
carol charon: 08[ENC] parsed IKE_AUTH response 6 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
carol charon: 08[IKE] authentication of 'moon.strongswan.org' with EAP successful
carol charon: 08[IKE] IKE_SA home[1] established between 192.168.0.100[228060123456001@strongswan.org]...192.168.0.1[moon.strongswan.org]
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26

以下为tcpdump抓到的交互流程报文:

在这里插入图片描述

strongswan测试版本: 5.8.1

END

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/知新_RL/article/detail/845032
推荐阅读
相关标签
  

闽ICP备14008679号