diff --git a/.github/workflows/ipsec-sanity-rh9.yml b/.github/workflows/ipsec-sanity-rh9.yml index dae4a911..826c3640 100644 --- a/.github/workflows/ipsec-sanity-rh9.yml +++ b/.github/workflows/ipsec-sanity-rh9.yml @@ -41,6 +41,12 @@ jobs: ./validation.sh ./rmconfig.sh cd - + - run: | + cd cicd/ipsec-e2e/ + ./config.sh + ./validation.sh + ./rmconfig.sh + cd - - run: echo ${{ github.event.inputs.userInput }} - name: Clean test-bed if: success() || failure() diff --git a/.github/workflows/ipsec-sanity-ubuntu-22.yml b/.github/workflows/ipsec-sanity-ubuntu-22.yml index af07185c..57f20a55 100644 --- a/.github/workflows/ipsec-sanity-ubuntu-22.yml +++ b/.github/workflows/ipsec-sanity-ubuntu-22.yml @@ -65,4 +65,10 @@ jobs: ./validation.sh ./rmconfig.sh cd - + - run: | + cd cicd/ipsec-e2e/ + ./config.sh + ./validation.sh + ./rmconfig.sh + cd - - run: echo ${{ github.event.inputs.userInput }} diff --git a/.github/workflows/ipsec-sanity.yml b/.github/workflows/ipsec-sanity.yml index ce467c4b..3c72592a 100644 --- a/.github/workflows/ipsec-sanity.yml +++ b/.github/workflows/ipsec-sanity.yml @@ -65,4 +65,10 @@ jobs: ./validation.sh ./rmconfig.sh cd - + - run: | + cd cicd/ipsec-e2e/ + ./config.sh + ./validation.sh + ./rmconfig.sh + cd - - run: echo ${{ github.event.inputs.userInput }} diff --git a/cicd/ipsec-e2e/config.sh b/cicd/ipsec-e2e/config.sh new file mode 100755 index 00000000..4994d916 --- /dev/null +++ b/cicd/ipsec-e2e/config.sh @@ -0,0 +1,149 @@ +#!/bin/bash +source ../common.sh + +echo "#########################################" +echo "Spawning all hosts" +echo "#########################################" + +spawn_docker_host --dock-type loxilb --dock-name lgw1 +spawn_docker_host --dock-type loxilb --dock-name llb1 +spawn_docker_host --dock-type loxilb --dock-name rgw1 +spawn_docker_host --dock-type loxilb --dock-name rgw2 +spawn_docker_host --dock-type host --dock-name lh1 +spawn_docker_host --dock-type host --dock-name rh1 +spawn_docker_host --dock-type host --dock-name rh2 + +$dexec lgw1 bash -c "apt-get update && apt-get install -y iputils-ping curl" +$dexec llb1 bash -c "apt-get update && apt-get install -y iputils-ping curl" +$dexec rgw1 bash -c "apt-get update && apt-get install -y iputils-ping curl" +$dexec rgw2 bash -c "apt-get update && apt-get install -y iputils-ping curl" + +echo "#########################################" +echo "Connecting and configuring hosts" +echo "#########################################" + +connect_docker_hosts lh1 lgw1 +connect_docker_hosts lgw1 llb1 +connect_docker_hosts llb1 rgw1 +connect_docker_hosts llb1 rgw2 +connect_docker_hosts rh1 rgw1 +connect_docker_hosts rh2 rgw2 + +config_docker_host --host1 lh1 --host2 lgw1 --ptype phy --addr 192.168.10.175/24 --gw 192.168.10.1 +config_docker_host --host1 lgw1 --host2 lh1 --ptype phy --addr 192.168.10.1/24 +config_docker_host --host1 lgw1 --host2 llb1 --ptype phy --addr 7.7.7.1/24 +config_docker_host --host1 llb1 --host2 lgw1 --ptype phy --addr 7.7.7.254/24 + +#Tunnel 1 +#xfrm Config(Left) +$dexec lgw1 ip link add vti100 type vti key 100 remote 7.7.7.254 local 7.7.7.1 +$dexec lgw1 ip link set vti100 up +$dexec lgw1 ip addr add 77.77.77.1/24 remote 77.77.77.254/24 dev vti100 +$dexec lgw1 sysctl -w "net.ipv4.conf.vti100.disable_policy=1" +$dexec lgw1 sysctl -w "net.ipv4.conf.elgw1lh1.proxy_arp=1" + +$dexec lgw1 ip route add 192.168.10.200/32 via 77.77.77.254 + +#xfrm Config(Right) +$dexec llb1 ip link add vti100 type vti key 100 remote 7.7.7.1 local 7.7.7.254 +$dexec llb1 ip link set vti100 up +$dexec llb1 ip addr add 77.77.77.254/24 remote 77.77.77.1/24 dev vti100 +$dexec llb1 sysctl -w "net.ipv4.conf.vti100.disable_policy=1" +#$dexec llb1 sysctl -w "net.ipv4.conf.ellb1lgw1.proxy_arp=1" + +$dexec llb1 ip addr add 192.168.10.200/32 dev lo +$dexec llb1 ip route add 192.168.10.175/32 via 77.77.77.1 dev vti100 +$dexec llb1 loxicmd create lb 192.168.10.200 --tcp=2020:8080 --endpoints=192.168.10.10:1,192.168.10.11:1 --mode=fullnat +$dexec llb1 loxicmd create ep 192.168.10.10 --name=192.168.10.10_tcp_2020 --probetype=none +$dexec llb1 loxicmd create ep 192.168.10.11 --name=192.168.10.11_tcp_2020 --probetype=none + +#Route towards Host(lh1) +$dexec llb1 ip route add 192.168.10.175/32 via 77.77.77.1 dev vti100 + + + +create_docker_host_vlan --host1 llb1 --host2 rgw1 --id 1000 --ptype untagged +create_docker_host_vlan --host1 llb1 --host2 rgw2 --id 1000 --ptype untagged + +config_docker_host --host1 rgw1 --host2 llb1 --ptype phy --addr 8.7.7.1/24 +config_docker_host --host1 rgw2 --host2 llb1 --ptype phy --addr 8.7.7.2/24 + +config_docker_host --host1 llb1 --host2 rgw1 --ptype vlan --id 1000 --addr 8.7.7.254/24 + +#Tunnel-2 + +#xfrm Config(Right) +$dexec llb1 ip link add vti200 type vti key 200 remote 8.7.7.1 local 8.7.7.254 +$dexec llb1 ip link set vti200 up +$dexec llb1 ip addr add 8.7.200.254/24 remote 8.7.200.1/24 dev vti200 +$dexec llb1 sysctl -w "net.ipv4.conf.vti200.disable_policy=1" + +#Route towards EP(rh1) +$dexec llb1 ip route add 192.168.10.10/32 via 8.7.200.1 dev vti200 + + +#xfrm Config(Left) +$dexec rgw1 ip link add vti200 type vti key 200 remote 8.7.7.254 local 8.7.7.1 +$dexec rgw1 ip link set vti200 up +$dexec rgw1 ip addr add 8.7.200.1/24 remote 8.7.200.254/24 dev vti200 +$dexec rgw1 sysctl -w "net.ipv4.conf.vti200.disable_policy=1" +$dexec rgw1 sysctl -w "net.ipv4.conf.ergw1rh1.proxy_arp=1" +#Route towards llb1 +$dexec rgw1 ip route add 192.168.10.200/32 via 8.7.200.254 + + +#Tunnel-3 + +#xfrm Config(Right) +$dexec llb1 ip link add vti201 type vti key 201 remote 8.7.7.2 local 8.7.7.254 +$dexec llb1 ip link set vti201 up +$dexec llb1 ip addr add 8.7.201.254/24 remote 8.7.201.1/24 dev vti201 +$dexec llb1 sysctl -w "net.ipv4.conf.vti201.disable_policy=1" + +#Route towards EP(rh2) +$dexec llb1 ip route add 192.168.10.11/32 via 8.7.201.1 dev vti201 + +$dexec rgw2 ip link add vti201 type vti key 201 remote 8.7.7.254 local 8.7.7.2 +$dexec rgw2 ip link set vti201 up +$dexec rgw2 ip addr add 8.7.201.1/24 remote 8.7.201.254/24 dev vti201 +$dexec rgw2 sysctl -w "net.ipv4.conf.vti201.disable_policy=1" +$dexec rgw2 sysctl -w "net.ipv4.conf.ergw2rh2.proxy_arp=1" +#Route towards llb1 +$dexec rgw2 ip route add 192.168.10.200/32 via 8.7.201.254 + + + +config_docker_host --host1 rgw1 --host2 rh1 --ptype phy --addr 192.168.10.2/24 +config_docker_host --host1 rh1 --host2 rgw1 --ptype phy --addr 192.168.10.10/24 --gw 192.168.10.2 + +config_docker_host --host1 rgw2 --host2 rh2 --ptype phy --addr 192.168.10.3/24 +config_docker_host --host1 rh2 --host2 rgw2 --ptype phy --addr 192.168.10.11/24 --gw 192.168.10.3 + +#$dexec lgw1 apt-get update +$dexec lgw1 apt-get install -y iptables strongswan strongswan-swanctl systemctl +docker cp lgw1_ipsec_config/ipsec.conf lgw1:/etc/ +docker cp lgw1_ipsec_config/ipsec.secrets lgw1:/etc/ +docker cp lgw1_ipsec_config/charon.conf lgw1:/etc/strongswan.d/ +$dexec lgw1 systemctl restart strongswan-starter + +#$dexec llb1 apt-get update +$dexec llb1 apt-get install -y strongswan strongswan-swanctl systemctl +docker cp llb1_ipsec_config/ipsec.conf llb1:/etc/ +docker cp llb1_ipsec_config/ipsec.secrets llb1:/etc/ +docker cp llb1_ipsec_config/charon.conf llb1:/etc/strongswan.d/ +$dexec llb1 systemctl restart strongswan-starter + +#$dexec rgw1 apt-get update +$dexec rgw1 apt-get install -y iptables strongswan strongswan-swanctl systemctl +docker cp rgw1_ipsec_config/ipsec.conf rgw1:/etc/ +docker cp rgw1_ipsec_config/ipsec.secrets rgw1:/etc/ +docker cp rgw1_ipsec_config/charon.conf rgw1:/etc/strongswan.d/ +$dexec rgw1 systemctl restart strongswan-starter + +#$dexec rgw2 apt-get update +$dexec rgw2 apt-get install -y iptables strongswan strongswan-swanctl systemctl +docker cp rgw2_ipsec_config/ipsec.conf rgw2:/etc/ +docker cp rgw2_ipsec_config/ipsec.secrets rgw2:/etc/ +docker cp rgw2_ipsec_config/charon.conf rgw2:/etc/strongswan.d/ +$dexec rgw2 systemctl restart strongswan-starter + diff --git a/cicd/ipsec-e2e/lgw1_ipsec_config/charon.conf b/cicd/ipsec-e2e/lgw1_ipsec_config/charon.conf new file mode 100644 index 00000000..926ae24a --- /dev/null +++ b/cicd/ipsec-e2e/lgw1_ipsec_config/charon.conf @@ -0,0 +1,376 @@ +# Options for the charon IKE daemon. +charon { + + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + # accept_unencrypted_mainmode_messages = no + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + install_routes = no + + # Install virtual IP addresses. + install_virtual_ip = no + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Whether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + + # Prefer locally configured proposals for IKE/IPsec over supplied ones as + # responder (disabling this can avoid keying retries due to + # INVALID_KE_PAYLOAD notifies). + # prefer_configured_proposals = yes + + # Controls whether permanent or temporary IPv6 addresses are used as source, + # or announced as additional addresses if MOBIKE is used. + # prefer_temporary_addrs = no + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # How RDNs in subject DNs of certificates are matched against configured + # identities (strict, reordered, or relaxed). + # rdn_matching = strict + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if + # DNS resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + + # Value mixed into the local IKE SPIs after applying spi_mask. + # spi_label = 0x0000000000000000 + + # Mask applied to local IKE SPIs before mixing in spi_label (bits set will + # be replaced with spi_label). + # spi_mask = 0x0000000000000000 + + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Time in ms during which crypto algorithm performance is measured. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/cicd/ipsec-e2e/lgw1_ipsec_config/ipsec.conf b/cicd/ipsec-e2e/lgw1_ipsec_config/ipsec.conf new file mode 100644 index 00000000..c1314eb9 --- /dev/null +++ b/cicd/ipsec-e2e/lgw1_ipsec_config/ipsec.conf @@ -0,0 +1,78 @@ +#@ /etc/strongswan/ipsec.conf (Centos) or /etc/ipsec.conf (Ubuntu) + +# ipsec.conf - strongSwan IPsec configuration file + +# basic configuration + +config setup + charondebug="cfg 2, ike 3" +# strictcrlpolicy=yes +# uniqueids = no + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start + + +conn default + leftauth=psk + rightauth=psk + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : sha1 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 28800 seconds + ikelifetime=28800s + # Phase 1 Negotiation Mode : main + aggressive=no + # Protocol : esp + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : hmac-sha1-96 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 3600 seconds + lifetime=3600s + # Mode : tunnel + type=tunnel + # DPD Interval : 10 + dpddelay=10s + # DPD Retries : 3 + dpdtimeout=30s + # Tuning Parameters for AWS Virtual Private Gateway: + keyexchange=ikev2 + #keyingtries=%forever + rekey=yes + reauth=no + dpdaction=restart + closeaction=restart + #left=%defaultroute + #leftsubnet=0.0.0.0/0,::/0 + #rightsubnet=0.0.0.0/0,::/0 + leftsubnet=192.168.10.175 + rightsubnet=192.168.10.200 + #leftupdown=/etc/strongswan/ipsec-vti.sh + left=7.7.7.1 + right=7.7.7.254 + installpolicy=yes + compress=no + mobike=no + #VTI Key + mark=100 + auto=start diff --git a/cicd/ipsec-e2e/lgw1_ipsec_config/ipsec.secrets b/cicd/ipsec-e2e/lgw1_ipsec_config/ipsec.secrets new file mode 100644 index 00000000..318cc964 --- /dev/null +++ b/cicd/ipsec-e2e/lgw1_ipsec_config/ipsec.secrets @@ -0,0 +1,3 @@ +#@ /etc/strongswan/ipsec.secrets (Centos) or /etc/ipsec.secrets (Ubuntu) + +7.7.7.1 7.7.7.254 : PSK "loxilb@1234!" diff --git a/cicd/ipsec-e2e/llb1_ipsec_config/charon.conf b/cicd/ipsec-e2e/llb1_ipsec_config/charon.conf new file mode 100644 index 00000000..926ae24a --- /dev/null +++ b/cicd/ipsec-e2e/llb1_ipsec_config/charon.conf @@ -0,0 +1,376 @@ +# Options for the charon IKE daemon. +charon { + + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + # accept_unencrypted_mainmode_messages = no + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + install_routes = no + + # Install virtual IP addresses. + install_virtual_ip = no + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Whether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + + # Prefer locally configured proposals for IKE/IPsec over supplied ones as + # responder (disabling this can avoid keying retries due to + # INVALID_KE_PAYLOAD notifies). + # prefer_configured_proposals = yes + + # Controls whether permanent or temporary IPv6 addresses are used as source, + # or announced as additional addresses if MOBIKE is used. + # prefer_temporary_addrs = no + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # How RDNs in subject DNs of certificates are matched against configured + # identities (strict, reordered, or relaxed). + # rdn_matching = strict + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if + # DNS resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + + # Value mixed into the local IKE SPIs after applying spi_mask. + # spi_label = 0x0000000000000000 + + # Mask applied to local IKE SPIs before mixing in spi_label (bits set will + # be replaced with spi_label). + # spi_mask = 0x0000000000000000 + + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Time in ms during which crypto algorithm performance is measured. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/cicd/ipsec-e2e/llb1_ipsec_config/ipsec.conf b/cicd/ipsec-e2e/llb1_ipsec_config/ipsec.conf new file mode 100644 index 00000000..785532f9 --- /dev/null +++ b/cicd/ipsec-e2e/llb1_ipsec_config/ipsec.conf @@ -0,0 +1,169 @@ +#@ /etc/strongswan/ipsec.conf (Centos) or /etc/ipsec.conf (Ubuntu) + +# ipsec.conf - strongSwan IPsec configuration file + +# basic configuration + +config setup + charondebug="cfg 2, ike 3" +# strictcrlpolicy=yes +# uniqueids = no + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start + +conn llb1-to-lgw1 + leftauth=psk + rightauth=psk + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : sha1 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 28800 seconds + ikelifetime=28800s + # Phase 1 Negotiation Mode : main + aggressive=no + # Protocol : esp + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : hmac-sha1-96 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 3600 seconds + lifetime=3600s + # Mode : tunnel + type=tunnel + # DPD Interval : 10 + dpddelay=10s + # DPD Retries : 3 + dpdtimeout=30s + # Tuning Parameters for AWS Virtual Private Gateway: + keyexchange=ikev2 + #keyingtries=%forever + rekey=yes + reauth=no + dpdaction=restart + closeaction=restart + #left=%defaultroute + #leftsubnet=0.0.0.0/0,::/0 + #rightsubnet=0.0.0.0/0,::/0 + leftsubnet=192.168.10.200 + rightsubnet=192.168.10.175 + #leftupdown=/etc/strongswan/ipsec-vti.sh + left=7.7.7.254 + right=7.7.7.1 + installpolicy=yes + compress=no + mobike=no + #VTI Key + mark=100 + auto=start + +conn llb1-to-rgw1 + leftauth=psk + rightauth=psk + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : sha1 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 28800 seconds + ikelifetime=28800s + # Phase 1 Negotiation Mode : main + aggressive=no + # Protocol : esp + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : hmac-sha1-96 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 3600 seconds + lifetime=3600s + # Mode : tunnel + type=tunnel + # DPD Interval : 10 + dpddelay=10s + # DPD Retries : 3 + dpdtimeout=30s + # Tuning Parameters for AWS Virtual Private Gateway: + keyexchange=ikev2 + #keyingtries=%forever + rekey=yes + reauth=no + dpdaction=restart + closeaction=restart + #left=%defaultroute + #leftsubnet=0.0.0.0/0,::/0 + #rightsubnet=0.0.0.0/0,::/0 + leftsubnet=192.168.10.200 + rightsubnet=192.168.10.10 + #leftupdown=/etc/strongswan/ipsec-vti.sh + left=8.7.7.254 + right=8.7.7.1 + installpolicy=yes + compress=no + mobike=no + #VTI Key + mark=200 + auto=start + +conn llb1-to-rgw2 + leftauth=psk + rightauth=psk + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : sha1 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 28800 seconds + ikelifetime=28800s + # Phase 1 Negotiation Mode : main + aggressive=no + # Protocol : esp + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : hmac-sha1-96 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 3600 seconds + lifetime=3600s + # Mode : tunnel + type=tunnel + # DPD Interval : 10 + dpddelay=10s + # DPD Retries : 3 + dpdtimeout=30s + # Tuning Parameters for AWS Virtual Private Gateway: + keyexchange=ikev2 + #keyingtries=%forever + rekey=yes + reauth=no + dpdaction=restart + closeaction=restart + #left=%defaultroute + #leftsubnet=0.0.0.0/0,::/0 + #rightsubnet=0.0.0.0/0,::/0 + leftsubnet=192.168.10.200 + rightsubnet=192.168.10.11 + #leftupdown=/etc/strongswan/ipsec-vti.sh + left=8.7.7.254 + right=8.7.7.2 + installpolicy=yes + compress=no + mobike=no + #VTI Key + mark=201 + auto=start diff --git a/cicd/ipsec-e2e/llb1_ipsec_config/ipsec.secrets b/cicd/ipsec-e2e/llb1_ipsec_config/ipsec.secrets new file mode 100644 index 00000000..ff2e3907 --- /dev/null +++ b/cicd/ipsec-e2e/llb1_ipsec_config/ipsec.secrets @@ -0,0 +1,5 @@ +#@ /etc/strongswan/ipsec.secrets (Centos) or /etc/ipsec.secrets (Ubuntu) + +7.7.7.254 7.7.7.1 : PSK "loxilb@1234!" +8.7.7.254 8.7.7.1 : PSK "loxilb@1234!" +8.7.7.254 8.7.7.2 : PSK "loxilb@1234!" diff --git a/cicd/ipsec-e2e/rgw1_ipsec_config/charon.conf b/cicd/ipsec-e2e/rgw1_ipsec_config/charon.conf new file mode 100644 index 00000000..926ae24a --- /dev/null +++ b/cicd/ipsec-e2e/rgw1_ipsec_config/charon.conf @@ -0,0 +1,376 @@ +# Options for the charon IKE daemon. +charon { + + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + # accept_unencrypted_mainmode_messages = no + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + install_routes = no + + # Install virtual IP addresses. + install_virtual_ip = no + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Whether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + + # Prefer locally configured proposals for IKE/IPsec over supplied ones as + # responder (disabling this can avoid keying retries due to + # INVALID_KE_PAYLOAD notifies). + # prefer_configured_proposals = yes + + # Controls whether permanent or temporary IPv6 addresses are used as source, + # or announced as additional addresses if MOBIKE is used. + # prefer_temporary_addrs = no + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # How RDNs in subject DNs of certificates are matched against configured + # identities (strict, reordered, or relaxed). + # rdn_matching = strict + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if + # DNS resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + + # Value mixed into the local IKE SPIs after applying spi_mask. + # spi_label = 0x0000000000000000 + + # Mask applied to local IKE SPIs before mixing in spi_label (bits set will + # be replaced with spi_label). + # spi_mask = 0x0000000000000000 + + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Time in ms during which crypto algorithm performance is measured. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/cicd/ipsec-e2e/rgw1_ipsec_config/ipsec.conf b/cicd/ipsec-e2e/rgw1_ipsec_config/ipsec.conf new file mode 100644 index 00000000..43da92c5 --- /dev/null +++ b/cicd/ipsec-e2e/rgw1_ipsec_config/ipsec.conf @@ -0,0 +1,76 @@ +#@ /etc/strongswan/ipsec.conf (Centos) or /etc/ipsec.conf (Ubuntu) + +# ipsec.conf - strongSwan IPsec configuration file + +# basic configuration + +config setup + charondebug="cfg 2, ike 3" +# strictcrlpolicy=yes +# uniqueids = no + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start + + +conn rgw1-to-llb1 + leftauth=psk + rightauth=psk + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : sha1 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 28800 seconds + ikelifetime=28800s + # Phase 1 Negotiation Mode : main + aggressive=no + # Protocol : esp + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : hmac-sha1-96 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 3600 seconds + lifetime=3600s + # Mode : tunnel + type=tunnel + # DPD Interval : 10 + dpddelay=10s + # DPD Retries : 3 + dpdtimeout=30s + # Tuning Parameters for AWS Virtual Private Gateway: + keyexchange=ikev2 + #keyingtries=%forever + rekey=yes + reauth=no + dpdaction=restart + closeaction=restart + #left=%defaultroute + leftsubnet=192.168.10.10 + rightsubnet=192.168.10.200 + #leftupdown=/etc/strongswan/ipsec-vti.sh + left=8.7.7.1 + right=8.7.7.254 + installpolicy=yes + compress=no + mobike=no + #VTI Key + mark=200 + auto=start diff --git a/cicd/ipsec-e2e/rgw1_ipsec_config/ipsec.secrets b/cicd/ipsec-e2e/rgw1_ipsec_config/ipsec.secrets new file mode 100644 index 00000000..4e71446d --- /dev/null +++ b/cicd/ipsec-e2e/rgw1_ipsec_config/ipsec.secrets @@ -0,0 +1,3 @@ +#@ /etc/strongswan/ipsec.secrets (Centos) or /etc/ipsec.secrets (Ubuntu) + +8.7.7.1 8.7.7.254 : PSK "loxilb@1234!" diff --git a/cicd/ipsec-e2e/rgw2_ipsec_config/charon.conf b/cicd/ipsec-e2e/rgw2_ipsec_config/charon.conf new file mode 100644 index 00000000..926ae24a --- /dev/null +++ b/cicd/ipsec-e2e/rgw2_ipsec_config/charon.conf @@ -0,0 +1,376 @@ +# Options for the charon IKE daemon. +charon { + + # Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. + # accept_unencrypted_mainmode_messages = no + + # Maximum number of half-open IKE_SAs for a single peer IP. + # block_threshold = 5 + + # Whether Certificate Revocation Lists (CRLs) fetched via HTTP or LDAP + # should be saved under a unique file name derived from the public key of + # the Certification Authority (CA) to /etc/ipsec.d/crls (stroke) or + # /etc/swanctl/x509crl (vici), respectively. + # cache_crls = no + + # Whether relations in validated certificate chains should be cached in + # memory. + # cert_cache = yes + + # Send Cisco Unity vendor ID payload (IKEv1 only). + # cisco_unity = no + + # Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed. + # close_ike_on_child_failure = no + + # Number of half-open IKE_SAs that activate the cookie mechanism. + # cookie_threshold = 10 + + # Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only). + # delete_rekeyed = no + + # Delay in seconds until inbound IPsec SAs are deleted after rekeyings + # (IKEv2 only). + # delete_rekeyed_delay = 5 + + # Use ANSI X9.42 DH exponent size or optimum size matched to cryptographic + # strength. + # dh_exponent_ansi_x9_42 = yes + + # Use RTLD_NOW with dlopen when loading plugins and IMV/IMCs to reveal + # missing symbols immediately. + # dlopen_use_rtld_now = no + + # DNS server assigned to peer via configuration payload (CP). + # dns1 = + + # DNS server assigned to peer via configuration payload (CP). + # dns2 = + + # Enable Denial of Service protection using cookies and aggressiveness + # checks. + # dos_protection = yes + + # Compliance with the errata for RFC 4753. + # ecp_x_coordinate_only = yes + + # Free objects during authentication (might conflict with plugins). + # flush_auth_cfg = no + + # Whether to follow IKEv2 redirects (RFC 5685). + # follow_redirects = yes + + # Maximum size (complete IP datagram size in bytes) of a sent IKE fragment + # when using proprietary IKEv1 or standardized IKEv2 fragmentation, defaults + # to 1280 (use 0 for address family specific default values, which uses a + # lower value for IPv4). If specified this limit is used for both IPv4 and + # IPv6. + # fragment_size = 1280 + + # Name of the group the daemon changes to after startup. + # group = + + # Timeout in seconds for connecting IKE_SAs (also see IKE_SA_INIT DROPPING). + # half_open_timeout = 30 + + # Enable hash and URL support. + # hash_and_url = no + + # Allow IKEv1 Aggressive Mode with pre-shared keys as responder. + # i_dont_care_about_security_and_use_aggressive_mode_psk = no + + # Whether to ignore the traffic selectors from the kernel's acquire events + # for IKEv2 connections (they are not used for IKEv1). + # ignore_acquire_ts = no + + # A space-separated list of routing tables to be excluded from route + # lookups. + # ignore_routing_tables = + + # Maximum number of IKE_SAs that can be established at the same time before + # new connection attempts are blocked. + # ikesa_limit = 0 + + # Number of exclusively locked segments in the hash table. + # ikesa_table_segments = 1 + + # Size of the IKE_SA hash table. + # ikesa_table_size = 1 + + # Whether to close IKE_SA if the only CHILD_SA closed due to inactivity. + # inactivity_close_ike = no + + # Limit new connections based on the current number of half open IKE_SAs, + # see IKE_SA_INIT DROPPING in strongswan.conf(5). + # init_limit_half_open = 0 + + # Limit new connections based on the number of queued jobs. + # init_limit_job_load = 0 + + # Causes charon daemon to ignore IKE initiation requests. + # initiator_only = no + + # Install routes into a separate routing table for established IPsec + # tunnels. + install_routes = no + + # Install virtual IP addresses. + install_virtual_ip = no + + # The name of the interface on which virtual IP addresses should be + # installed. + # install_virtual_ip_on = + + # Check daemon, libstrongswan and plugin integrity at startup. + # integrity_test = no + + # A comma-separated list of network interfaces that should be ignored, if + # interfaces_use is specified this option has no effect. + # interfaces_ignore = + + # A comma-separated list of network interfaces that should be used by + # charon. All other interfaces are ignored. + # interfaces_use = + + # NAT keep alive interval. + # keep_alive = 20s + + # Plugins to load in the IKE daemon charon. + # load = + + # Determine plugins to load via each plugin's load option. + # load_modular = no + + # Initiate IKEv2 reauthentication with a make-before-break scheme. + # make_before_break = no + + # Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about + # and track concurrently. + # max_ikev1_exchanges = 3 + + # Maximum packet size accepted by charon. + # max_packet = 10000 + + # Enable multiple authentication exchanges (RFC 4739). + # multiple_authentication = yes + + # WINS servers assigned to peer via configuration payload (CP). + # nbns1 = + + # WINS servers assigned to peer via configuration payload (CP). + # nbns2 = + + # UDP port used locally. If set to 0 a random port will be allocated. + # port = 500 + + # UDP port used locally in case of NAT-T. If set to 0 a random port will be + # allocated. Has to be different from charon.port, otherwise a random port + # will be allocated. + # port_nat_t = 4500 + + # Whether to prefer updating SAs to the path with the best route. + # prefer_best_path = no + + # Prefer locally configured proposals for IKE/IPsec over supplied ones as + # responder (disabling this can avoid keying retries due to + # INVALID_KE_PAYLOAD notifies). + # prefer_configured_proposals = yes + + # Controls whether permanent or temporary IPv6 addresses are used as source, + # or announced as additional addresses if MOBIKE is used. + # prefer_temporary_addrs = no + + # Process RTM_NEWROUTE and RTM_DELROUTE events. + # process_route = yes + + # How RDNs in subject DNs of certificates are matched against configured + # identities (strict, reordered, or relaxed). + # rdn_matching = strict + + # Delay in ms for receiving packets, to simulate larger RTT. + # receive_delay = 0 + + # Delay request messages. + # receive_delay_request = yes + + # Delay response messages. + # receive_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # receive_delay_type = 0 + + # Size of the AH/ESP replay window, in packets. + # replay_window = 32 + + # Base to use for calculating exponential back off, see IKEv2 RETRANSMISSION + # in strongswan.conf(5). + # retransmit_base = 1.8 + + # Maximum jitter in percent to apply randomly to calculated retransmission + # timeout (0 to disable). + # retransmit_jitter = 0 + + # Upper limit in seconds for calculated retransmission timeout (0 to + # disable). + # retransmit_limit = 0 + + # Timeout in seconds before sending first retransmit. + # retransmit_timeout = 4.0 + + # Number of times to retransmit a packet before giving up. + # retransmit_tries = 5 + + # Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if + # DNS resolution failed), 0 to disable retries. + # retry_initiate_interval = 0 + + # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1). + # reuse_ikesa = yes + + # Numerical routing table to install routes to. + # routing_table = + + # Priority of the routing table. + # routing_table_prio = + + # Whether to use RSA with PSS padding instead of PKCS#1 padding by default. + # rsa_pss = no + + # Delay in ms for sending packets, to simulate larger RTT. + # send_delay = 0 + + # Delay request messages. + # send_delay_request = yes + + # Delay response messages. + # send_delay_response = yes + + # Specific IKEv2 message type to delay, 0 for any. + # send_delay_type = 0 + + # Send strongSwan vendor ID payload + # send_vendor_id = no + + # Whether to enable Signature Authentication as per RFC 7427. + # signature_authentication = yes + + # Whether to enable constraints against IKEv2 signature schemes. + # signature_authentication_constraints = yes + + # Value mixed into the local IKE SPIs after applying spi_mask. + # spi_label = 0x0000000000000000 + + # Mask applied to local IKE SPIs before mixing in spi_label (bits set will + # be replaced with spi_label). + # spi_mask = 0x0000000000000000 + + # The upper limit for SPIs requested from the kernel for IPsec SAs. + # spi_max = 0xcfffffff + + # The lower limit for SPIs requested from the kernel for IPsec SAs. + # spi_min = 0xc0000000 + + # Number of worker threads in charon. + # threads = 16 + + # Name of the user the daemon changes to after startup. + # user = + + crypto_test { + + # Benchmark crypto algorithms and order them by efficiency. + # bench = no + + # Buffer size used for crypto benchmark. + # bench_size = 1024 + + # Time in ms during which crypto algorithm performance is measured. + # bench_time = 50 + + # Test crypto algorithms during registration (requires test vectors + # provided by the test-vectors plugin). + # on_add = no + + # Test crypto algorithms on each crypto primitive instantiation. + # on_create = no + + # Strictly require at least one test vector to enable an algorithm. + # required = no + + # Whether to test RNG with TRUE quality; requires a lot of entropy. + # rng_true = no + + } + + host_resolver { + + # Maximum number of concurrent resolver threads (they are terminated if + # unused). + # max_threads = 3 + + # Minimum number of resolver threads to keep around. + # min_threads = 0 + + } + + leak_detective { + + # Includes source file names and line numbers in leak detective output. + # detailed = yes + + # Threshold in bytes for leaks to be reported (0 to report all). + # usage_threshold = 10240 + + # Threshold in number of allocations for leaks to be reported (0 to + # report all). + # usage_threshold_count = 0 + + } + + processor { + + # Section to configure the number of reserved threads per priority class + # see JOB PRIORITY MANAGEMENT in strongswan.conf(5). + priority_threads { + + } + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is started. + start-scripts { + + } + + # Section containing a list of scripts (name = path) that are executed when + # the daemon is terminated. + stop-scripts { + + } + + tls { + + # List of TLS encryption ciphers. + # cipher = + + # List of TLS key exchange methods. + # key_exchange = + + # List of TLS MAC algorithms. + # mac = + + # List of TLS cipher suites. + # suites = + + } + + x509 { + + # Discard certificates with unsupported or unknown critical extensions. + # enforce_critical = yes + + } + +} + diff --git a/cicd/ipsec-e2e/rgw2_ipsec_config/ipsec.conf b/cicd/ipsec-e2e/rgw2_ipsec_config/ipsec.conf new file mode 100644 index 00000000..f173a905 --- /dev/null +++ b/cicd/ipsec-e2e/rgw2_ipsec_config/ipsec.conf @@ -0,0 +1,76 @@ +#@ /etc/strongswan/ipsec.conf (Centos) or /etc/ipsec.conf (Ubuntu) + +# ipsec.conf - strongSwan IPsec configuration file + +# basic configuration + +config setup + charondebug="cfg 2, ike 3" +# strictcrlpolicy=yes +# uniqueids = no + +# Add connections here. + +# Sample VPN connections + +#conn sample-self-signed +# leftsubnet=10.1.0.0/16 +# leftcert=selfCert.der +# leftsendcert=never +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightcert=peerCert.der +# auto=start + +#conn sample-with-ca-cert +# leftsubnet=10.1.0.0/16 +# leftcert=myCert.pem +# right=192.168.0.2 +# rightsubnet=10.2.0.0/16 +# rightid="C=CH, O=Linux strongSwan CN=peer name" +# auto=start + + +conn rgw2-to-llb1 + leftauth=psk + rightauth=psk + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : sha1 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 28800 seconds + ikelifetime=28800s + # Phase 1 Negotiation Mode : main + aggressive=no + # Protocol : esp + # Encryption Algorithm : aes-128-cbc + # Authentication Algorithm : hmac-sha1-96 + # Perfect Forward Secrecy : Diffie-Hellman Group 2 + esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024! + # Lifetime : 3600 seconds + lifetime=3600s + # Mode : tunnel + type=tunnel + # DPD Interval : 10 + dpddelay=10s + # DPD Retries : 3 + dpdtimeout=30s + # Tuning Parameters for AWS Virtual Private Gateway: + keyexchange=ikev2 + #keyingtries=%forever + rekey=yes + reauth=no + dpdaction=restart + closeaction=restart + #left=%defaultroute + leftsubnet=192.168.10.11 + rightsubnet=192.168.10.200 + #leftupdown=/etc/strongswan/ipsec-vti.sh + left=8.7.7.2 + right=8.7.7.254 + installpolicy=yes + compress=no + mobike=no + #VTI Key + mark=201 + auto=start diff --git a/cicd/ipsec-e2e/rgw2_ipsec_config/ipsec.secrets b/cicd/ipsec-e2e/rgw2_ipsec_config/ipsec.secrets new file mode 100644 index 00000000..b24a6b9b --- /dev/null +++ b/cicd/ipsec-e2e/rgw2_ipsec_config/ipsec.secrets @@ -0,0 +1,3 @@ +#@ /etc/strongswan/ipsec.secrets (Centos) or /etc/ipsec.secrets (Ubuntu) + +8.7.7.2 8.7.7.254 : PSK "loxilb@1234!" diff --git a/cicd/ipsec-e2e/rmconfig.sh b/cicd/ipsec-e2e/rmconfig.sh new file mode 100755 index 00000000..a7406048 --- /dev/null +++ b/cicd/ipsec-e2e/rmconfig.sh @@ -0,0 +1,22 @@ +#!/bin/bash + +source ../common.sh + +disconnect_docker_hosts lh1 lgw1 +disconnect_docker_hosts lgw1 llb1 +disconnect_docker_hosts llb1 rgw1 +disconnect_docker_hosts llb1 rgw2 +disconnect_docker_hosts rgw1 rh1 +disconnect_docker_hosts rgw2 rh2 + +delete_docker_host llb1 +delete_docker_host lgw1 +delete_docker_host rgw1 +delete_docker_host rgw2 +delete_docker_host lh1 +delete_docker_host rh1 +delete_docker_host rh2 + +echo "#########################################" +echo "Deleted testbed" +echo "#########################################" diff --git a/cicd/ipsec-e2e/validation.sh b/cicd/ipsec-e2e/validation.sh new file mode 100755 index 00000000..e28b28d1 --- /dev/null +++ b/cicd/ipsec-e2e/validation.sh @@ -0,0 +1,61 @@ +#!/bin/bash +source ../common.sh +echo IPSEC-e2e +$hexec rh1 node ../common/tcp_server.js server1 & +$hexec rh2 node ../common/tcp_server.js server2 & + +sleep 2 +lgw1_rx1=`$hexec lgw1 ifconfig vti100 | grep "RX packets" | cut -d " " -f 11` +lgw1_tx1=`$hexec lgw1 ifconfig vti100 | grep "TX packets" | cut -d " " -f 11` +llb1_rx1=`$hexec llb1 ifconfig vti100 | grep "RX packets" | cut -d " " -f 11` +llb1_tx1=`$hexec llb1 ifconfig vti100 | grep "TX packets" | cut -d " " -f 11` +llb1_rx2=`$hexec llb1 ifconfig vti200 | grep "RX packets" | cut -d " " -f 11` +llb1_tx2=`$hexec llb1 ifconfig vti200 | grep "TX packets" | cut -d " " -f 11` +llb1_rx3=`$hexec llb1 ifconfig vti201 | grep "RX packets" | cut -d " " -f 11` +llb1_tx3=`$hexec llb1 ifconfig vti201 | grep "TX packets" | cut -d " " -f 11` + +rgw1_rx1=`$hexec rgw1 ifconfig vti200 | grep "RX packets" | cut -d " " -f 11` +rgw1_tx1=`$hexec rgw1 ifconfig vti200 | grep "TX packets" | cut -d " " -f 11` +rgw2_rx1=`$hexec rgw2 ifconfig vti201 | grep "RX packets" | cut -d " " -f 11` +rgw2_tx1=`$hexec rgw2 ifconfig vti201 | grep "TX packets" | cut -d " " -f 11` + +code=0 +servArr=( "server1" "server2" ) +vip=( "192.168.10.200" ) + +for j in {0..3} +do +for i in {0..1} +do + res=`$hexec lh1 curl --max-time 10 -s http://${vip[0]}:2020` + echo -e $res + if [[ "x$res" != "x${servArr[$i]}" ]] + then + echo -e "Expected ${servArr[$i]}, Received : $res" + if [[ "$res" != *"server"* ]]; + then + echo "lgw1 ct" + $dexec lgw1 loxicmd get ct + echo "llb1 ct" + $dexec llb1 loxicmd get ct + echo "rgw1 ct" + $dexec rgw1 loxicmd get ct + echo "rgw2 ct" + $dexec rgw2 loxicmd get ct + echo "llb1 ip neigh" + $dexec llb1 ip neigh + fi + code=1 + fi + sleep 1 +done +done +if [[ $code == 0 ]] +then + echo IPSEC-3 [OK] +else + echo IPSEC-3 [FAILED] +fi +sudo pkill node +exit $code +