Swanctl: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(11 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
 
=(re-)load connection configuration=
 
=(re-)load connection configuration=
 
*swanctl -c
 
*swanctl -c
  loaded connection 'net-net'
+
  loaded connection 'net'
 
  successfully loaded 1 connections, 0 unloaded
 
  successfully loaded 1 connections, 0 unloaded
 +
=(re-)load credentials=
 +
*swanctl -s
 +
loaded ike secret 'ike-net'
 +
 +
=load credentials, authorities, pools and connections=
 +
*swanctl -q
 +
<pre>
 +
loaded ike secret 'ike-net'
 +
no authorities found, 0 unloaded
 +
no pools found, 0 unloaded
 +
loaded connection 'net'
 +
successfully loaded 1 connections, 0 unloaded
 +
</pre>
 +
 
=initiate a connection=
 
=initiate a connection=
*swanctl --initiate --child net
+
*swanctl --initiate --child net-1
 
<pre>
 
<pre>
[ENC] generating QUICK_MODE request 661387916 [ HASH SA No KE ID ID ]
+
[ENC] generating QUICK_MODE request 2770629131 [ HASH SA No KE ID ID ]
 
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (460 bytes)
 
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (460 bytes)
 
[NET] received packet: from 10.84.252.32[500] to 10.84.252.40[500] (460 bytes)
 
[NET] received packet: from 10.84.252.32[500] to 10.84.252.40[500] (460 bytes)
[ENC] parsed QUICK_MODE response 661387916 [ HASH SA No KE ID ID ]
+
[ENC] parsed QUICK_MODE response 2770629131 [ HASH SA No KE ID ID ]
[IKE] CHILD_SA net{7} established with SPIs c7a4e05a_i c95bd1a5_o and TS 10.83.40.0/24 === 10.83.32.0/24
+
[IKE] CHILD_SA net-1{2} established with SPIs cad409e6_i c02e7852_o and TS 10.83.40.0/24 === 10.83.32.0/24
[ENC] generating QUICK_MODE request 661387916 [ HASH ]
+
[ENC] generating QUICK_MODE request 2770629131 [ HASH ]
 
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (76 bytes)
 
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (76 bytes)
 
initiate completed successfully
 
initiate completed successfully
 
</pre>
 
</pre>
 +
 
=terminate a connection=
 
=terminate a connection=
*swanctl --terminate --child net
+
*swanctl --terminate --child net-1
 
<pre>
 
<pre>
[IKE] closing CHILD_SA net{6} with SPIs c1ea2318_i (0 bytes) c3ede3a4_o (0 bytes) and TS 10.83.40.0/24 === 10.83.32.0/24
+
[IKE] closing CHILD_SA net-1{1} with SPIs c2b81202_i (0 bytes) c817d05d_o (0 bytes) and TS 10.83.40.0/24 === 10.83.32.0/24
[IKE] sending DELETE for ESP CHILD_SA with SPI c1ea2318
+
[IKE] sending DELETE for ESP CHILD_SA with SPI c2b81202
[ENC] generating INFORMATIONAL_V1 request 2587432778 [ HASH D ]
+
[ENC] generating INFORMATIONAL_V1 request 328806429 [ HASH D ]
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (92 bytes)
 
[IKE] closing CHILD_SA net{7} with SPIs c7a4e05a_i (0 bytes) c95bd1a5_o (0 bytes) and TS 10.83.40.0/24 === 10.83.32.0/24
 
[IKE] sending DELETE for ESP CHILD_SA with SPI c7a4e05a
 
[ENC] generating INFORMATIONAL_V1 request 1981643187 [ HASH D ]
 
 
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (92 bytes)
 
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (92 bytes)
 +
[IKE] closing CHILD_SA net-1{2} with SPIs cad409e6_i (0 bytes) c02e7852_o (0 bytes) and TS 10.83.40.0/24 === 10.83.32.0/24
 
terminate completed successfully
 
terminate completed successfully
 
</pre>
 
</pre>
 +
 +
=list loaded configurations=
 +
*swanctl --list-conn
 +
<pre>
 +
net-net: IKEv1, reauthentication every 3600s
 +
  local:  10.84.252.40
 +
  remote: 10.84.252.32
 +
  local pre-shared key authentication:
 +
    id: 10.84.252.40
 +
  remote pre-shared key authentication:
 +
    id: 10.84.252.32
 +
  net: TUNNEL, rekeying every 600s
 +
    local:  10.83.40.0/24
 +
    remote: 10.83.32.0/24
 +
</pre>
 +
 
=rekey an SA=
 
=rekey an SA=
*swanctl --rekey --child net
+
*swanctl --rekey --child net-1
 
  rekey completed successfully
 
  rekey completed successfully
 +
 
=log=
 
=log=
 
*swanctl --log
 
*swanctl --log
 
<pre>
 
<pre>
09[CFG] vici rekey CHILD_SA 'net'
+
09[CFG] vici rekey CHILD_SA 'net-1'
 
09[ENC] generating QUICK_MODE request 2013598800 [ HASH SA No KE ID ID ]
 
09[ENC] generating QUICK_MODE request 2013598800 [ HASH SA No KE ID ID ]
 
09[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (460 bytes)
 
09[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (460 bytes)
Zeile 43: Zeile 72:
 
13[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (76 bytes)
 
13[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (76 bytes)
 
</pre>
 
</pre>
 +
 
=list currently active IKE_SA=
 
=list currently active IKE_SA=
 
*swanctl --list-sas
 
*swanctl --list-sas
 
<pre>
 
<pre>
net-net: #16, ESTABLISHED, IKEv1, a1fb1d5845410355_i* 852dddf52f17ea70_r
+
net: #3, ESTABLISHED, IKEv1, 41805ab3792c873b_i* 7f163baa33346484_r
 
   local  '10.84.252.40' @ 10.84.252.40[500]
 
   local  '10.84.252.40' @ 10.84.252.40[500]
 
   remote '10.84.252.32' @ 10.84.252.32[500]
 
   remote '10.84.252.32' @ 10.84.252.32[500]
 
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
 
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   established 572s ago, rekeying in 466s, reauth in 2968s
+
   established 867s ago, rekeying in 13421s
   net: #8, reqid 4, REKEYED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
+
   net-1: #3, reqid 2, REKEYED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
     installed 440s ago, rekeying in 115s, expires in 220s
+
     installed 49s ago, rekeying in 3275s, expires in 3912s
     in  c66297e6,      0 bytes,    0 packets
+
     in  ca334880,      0 bytes,    0 packets
     out c4bb33a8,      0 bytes,    0 packets
+
     out c806412c,      0 bytes,    0 packets
 
     local  10.83.40.0/24
 
     local  10.83.40.0/24
 
     remote 10.83.32.0/24
 
     remote 10.83.32.0/24
   net: #9, reqid 4, REKEYED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
+
   net-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
     installed 437s ago, rekeying in 104s, expires in 223s
+
     installed 47s ago, rekeying in 3404s, expires in 3913s
     in  ccf16d2a,      0 bytes,    0 packets
+
     in  c5a10589,      0 bytes,    0 packets
     out cc4f9d29,      0 bytes,    0 packets
+
     out c632c7bf,      0 bytes,    0 packets
 
     local  10.83.40.0/24
 
     local  10.83.40.0/24
 
     remote 10.83.32.0/24
 
     remote 10.83.32.0/24
...
 
 
</pre>
 
</pre>
 +
=Autostart=
 +
*/etc/strongswan/strongswan.conf
 +
<pre>
 +
charon {
 +
...
 +
start-scripts {
 +
  swanctl = /usr/sbin/swanctl -q
 +
}
 +
...
 +
}
 +
</pre>
 +
==Modern vici-based Scenarios==
 +
*[[strongswan Installation swanctl]]
 +
*[[strongswan Dateien und Verzeichnisse swanctl]]
 +
*[[strongswan swanctl tool]]
 +
*[[strongswan workshop setup]]
 +
===Vorbereitung===
 +
*[[strongswan-swanctl-autostart]]
 +
===PSK===
 +
*[[strongswan-swanctl zu strongswan psk ikev2 site to site]]
 +
===CERT===
 +
*[[CA erstellen inklusive 2 Server Zertifikate]]
 +
*[[strongswan-swanctl zu strongswan cert ikev2 site to site]]
 +
*[[roadwarrior-swanctl zu strongswan cert ikev2 EAP_AKA authentication]]

Aktuelle Version vom 21. September 2022, 19:23 Uhr

(re-)load connection configuration

  • swanctl -c
loaded connection 'net'
successfully loaded 1 connections, 0 unloaded

(re-)load credentials

  • swanctl -s
loaded ike secret 'ike-net'

load credentials, authorities, pools and connections

  • swanctl -q
loaded ike secret 'ike-net'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'net'
successfully loaded 1 connections, 0 unloaded

initiate a connection

  • swanctl --initiate --child net-1
[ENC] generating QUICK_MODE request 2770629131 [ HASH SA No KE ID ID ]
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (460 bytes)
[NET] received packet: from 10.84.252.32[500] to 10.84.252.40[500] (460 bytes)
[ENC] parsed QUICK_MODE response 2770629131 [ HASH SA No KE ID ID ]
[IKE] CHILD_SA net-1{2} established with SPIs cad409e6_i c02e7852_o and TS 10.83.40.0/24 === 10.83.32.0/24
[ENC] generating QUICK_MODE request 2770629131 [ HASH ]
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (76 bytes)
initiate completed successfully

terminate a connection

  • swanctl --terminate --child net-1
[IKE] closing CHILD_SA net-1{1} with SPIs c2b81202_i (0 bytes) c817d05d_o (0 bytes) and TS 10.83.40.0/24 === 10.83.32.0/24
[IKE] sending DELETE for ESP CHILD_SA with SPI c2b81202
[ENC] generating INFORMATIONAL_V1 request 328806429 [ HASH D ]
[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (92 bytes)
[IKE] closing CHILD_SA net-1{2} with SPIs cad409e6_i (0 bytes) c02e7852_o (0 bytes) and TS 10.83.40.0/24 === 10.83.32.0/24
terminate completed successfully

list loaded configurations

  • swanctl --list-conn
net-net: IKEv1, reauthentication every 3600s
  local:  10.84.252.40
  remote: 10.84.252.32
  local pre-shared key authentication:
    id: 10.84.252.40
  remote pre-shared key authentication:
    id: 10.84.252.32
  net: TUNNEL, rekeying every 600s
    local:  10.83.40.0/24
    remote: 10.83.32.0/24

rekey an SA

  • swanctl --rekey --child net-1
rekey completed successfully

log

  • swanctl --log
09[CFG] vici rekey CHILD_SA 'net-1'
09[ENC] generating QUICK_MODE request 2013598800 [ HASH SA No KE ID ID ]
09[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (460 bytes)
13[NET] received packet: from 10.84.252.32[500] to 10.84.252.40[500] (460 bytes)
13[ENC] parsed QUICK_MODE response 2013598800 [ HASH SA No KE ID ID ]
13[IKE] CHILD_SA net{23} established with SPIs c6c7ffed_i cf1d5f57_o and TS 10.83.40.0/24 === 10.83.32.0/24
13[ENC] generating QUICK_MODE request 2013598800 [ HASH ]
13[NET] sending packet: from 10.84.252.40[500] to 10.84.252.32[500] (76 bytes)

list currently active IKE_SA

  • swanctl --list-sas
net: #3, ESTABLISHED, IKEv1, 41805ab3792c873b_i* 7f163baa33346484_r
  local  '10.84.252.40' @ 10.84.252.40[500]
  remote '10.84.252.32' @ 10.84.252.32[500]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 867s ago, rekeying in 13421s
  net-1: #3, reqid 2, REKEYED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 49s ago, rekeying in 3275s, expires in 3912s
    in  ca334880,      0 bytes,     0 packets
    out c806412c,      0 bytes,     0 packets
    local  10.83.40.0/24
    remote 10.83.32.0/24
  net-1: #4, reqid 2, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_256_128/MODP_2048
    installed 47s ago, rekeying in 3404s, expires in 3913s
    in  c5a10589,      0 bytes,     0 packets
    out c632c7bf,      0 bytes,     0 packets
    local  10.83.40.0/24
    remote 10.83.32.0/24

Autostart

  • /etc/strongswan/strongswan.conf
charon {
 ...
 start-scripts {
   swanctl = /usr/sbin/swanctl -q
 }
 ...
}

Modern vici-based Scenarios

Vorbereitung

PSK

CERT

Abgerufen von „http://wiki.ixheim.de/index.php?title=Swanctl&oldid=36151