strongswan

https://www.strongswan.org/testing/testresults/ikev2-algs/index.html

proposals = aes128-sha256-x25519

esp_proposals = aes128-sha256-x25519
esp_proposals = aes256-sha256-x25519
esp_proposals = aes256-sha512-x25519
esp_proposals = aes128-sha512-x25519
esp_proposals = aes128gcm128-x25519
esp_proposals = aes256gcm128-x25519
esp_proposals = aes128gmac-x25519
esp_proposals = aes256gmac-x25519
esp_proposals = aes128gcm16-x25519

ip link add vxlan0 type vxlan id 10 remote 192.168.9.129 local 192.168.9.128 dstport 4789 dev ens38
ip addr add 6.6.6.1/24 dev vxlan0
ip link set vxlan0 up

ip link add vxlan0 type vxlan id 10 remote 192.168.9.128 local 192.168.9.129 dstport 4789 dev ens38
ip addr add 6.6.5.1/24 dev vxlan0
ip link set vxlan0 up

[root@she ~]# bridge fdb show
01:00:5e:00:00:01 dev ens33 self permanent
33:33:00:00:00:01 dev ens33 self permanent
33:33:ff:16:59:21 dev ens33 self permanent
01:00:5e:00:00:01 dev ens38 self permanent
33:33:00:00:00:01 dev ens38 self permanent
33:33:ff:55:58:9d dev ens38 self permanent
00:00:00:00:00:00 dev vxlan0 dst 192.168.142.134 via ens33 self permanent
12:8d:7a:89:c3:b2 dev vxlan0 dst 192.168.142.134 self
[root@she ~]# cat /sys/class/net/vxlan0/brforward
cat: /sys/class/net/vxlan0/brforward: No such file or directory
[root@she ~]# ip neigh show dev vxlan0
10.0.10.20 lladdr 12:8d:7a:89:c3:b2 STALE
[root@she ~]#
[root@she ~]#

bridge fdb append to 12:8d:7a:89:c3:b2 192.168.142.134 dev vxlan0

ip route add 6.6.6.2/32 dev vxlan0

=====================================================================================================================================================
vxlan over ipsec

=====================================================================================================================================================
enudp

ip xfrm state add src 192.168.9.128 dst 192.168.9.129 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b encap espinudp 4500 4500 0.0.0.0
ip xfrm state add src 192.168.9.129 dst 192.168.9.128 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b encap espinudp 4500 4500 0.0.0.0
ip xfrm policy add src 192.168.9.128 dst 192.168.9.129 dir in ptype main tmpl src 192.168.9.128 dst 192.168.9.129 proto esp mode tunnel
ip xfrm policy add src 192.168.9.129 dst 192.168.9.128 dir out ptype main tmpl src 192.168.9.129 dst 192.168.9.128 proto esp mode tunnel
================================================================================================================================================
ipsec over vxlan ipv4 in ipv4 in ipv4
ip xfrm state add src 6.6.6.1 dst 6.6.6.2 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm state add src 6.6.6.2 dst 6.6.6.1 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm policy add src 6.6.6.1 dst 6.6.6.2 dir out ptype main tmpl src 6.6.6.1 dst 6.6.6.2 proto esp mode tunnel
ip xfrm policy add src 6.6.6.2 dst 6.6.6.1 dir in ptype main tmpl src 6.6.6.2 dst 6.6.6.1 proto esp mode tunnel

ip xfrm state add src 6.6.6.1 dst 6.6.6.2 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm state add src 6.6.6.2 dst 6.6.6.1 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm policy add src 6.6.6.1 dst 6.6.6.2 dir in ptype main tmpl src 6.6.6.1 dst 6.6.6.2 proto esp mode tunnel
ip xfrm policy add src 6.6.6.2 dst 6.6.6.1 dir out ptype main tmpl src 6.6.6.2 dst 6.6.6.1 proto esp mode tunnel

================================================================================================================================================
ipv6 in ipv6 in ipv4

ip xfrm state add src 2000::1 dst 2000::2 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm state add src 2000::2 dst 2000::1 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm policy add src 2000::1 dst 2000::2 dir out ptype main tmpl src 2000::1 dst 2000::2 proto esp mode tunnel
ip xfrm policy add src 2000::2 dst 2000::1 dir in ptype main tmpl src 2000::2 dst 2000::1 proto esp mode tunnel

ip xfrm state add src 2000::1 dst 2000::2 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm state add src 2000::2 dst 2000::1 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm policy add src 2000::1 dst 2000::2 dir in ptype main tmpl src 2000::1 dst 2000::2 proto esp mode tunnel
ip xfrm policy add src 2000::2 dst 2000::1 dir out ptype main tmpl src 2000::2 dst 2000::1 proto esp mode tunnel

如果这样可以那
ipv4 in ipv4 in ipv6 应该也可以
================================================================================================================================================
ipv4 in ipv6 in ipv4 这种就得用一个网卡了吧

================================================================================================================================================
v4——in-v4
lo 192.168.10.1/24 《===》 192.168.20.1/24

ens38 192.168.9.128/24 《===》192.168.9.129/24

#dut ip route add 192.168.20.0/24 dev ens38 src 192.168.10.1

#peer ip route add 192.168.10.0/24 dev ens38 src 192.168.20.1

ip xfrm state add src 192.168.9.128 dst 192.168.9.129 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm state add src 192.168.9.129 dst 192.168.9.128 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm policy add src 192.168.9.128 dst 192.168.9.129 dir out ptype main tmpl src 192.168.9.128 dst 192.168.9.129 proto esp mode tunnel
ip xfrm policy add src 192.168.9.129 dst 192.168.9.128 dir in ptype main tmpl src 192.168.9.129 dst 192.168.9.128 proto esp mode tunnel

ip xfrm policy add src 192.168.10.1 dst 192.168.20.1 dir out ptype main tmpl src 192.168.9.128 dst 192.168.9.129 proto esp mode tunnel
ip xfrm policy add src 192.168.20.1 dst 192.168.10.1 dir in ptype main tmpl src 192.168.9.129 dst 192.168.9.128 proto esp mode tunnel

ip xfrm policy add src 2000::1 dst 3000::1 dir out ptype main tmpl src 192.168.9.128 dst 192.168.9.129 proto esp mode tunnel
ip xfrm policy add src 3000::1 dst 2000::1 dir in ptype main tmpl src 192.168.9.129 dst 192.168.9.128 proto esp mode tunnel

ip xfrm state add src 192.168.9.128 dst 192.168.9.129 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm state add src 192.168.9.129 dst 192.168.9.128 proto esp spi 0x00000301 mode tunnel auth md5 0xa87ff679a2f3e71d9181a67b7542122c enc des 0xa2f3e71d9181a67b
ip xfrm policy add src 192.168.9.128 dst 192.168.9.129 dir in ptype main tmpl src 192.168.9.128 dst 192.168.9.129 proto esp mode tunnel
ip xfrm policy add src 192.168.9.129 dst 192.168.9.128 dir out ptype main tmpl src 192.168.9.129 dst 192.168.9.128 proto esp mode tunnel

ip xfrm policy add src 192.168.10.1 dst 192.168.20.1 dir in ptype main tmpl src 192.168.9.128 dst 192.168.9.129 proto esp mode tunnel
ip xfrm policy add src 192.168.20.1 dst 192.168.10.1 dir out ptype main tmpl src 192.168.9.129 dst 192.168.9.128 proto esp mode tunnel

ip xfrm policy add src 2000::1 dst 3000::1 dir in ptype main tmpl src 192.168.9.128 dst 192.168.9.129 proto esp mode tunnel
ip xfrm policy add src 3000::1 dst 2000::1 dir out ptype main tmpl src 192.168.9.129 dst 192.168.9.128 proto esp mode tunnel

============================================================================================================================================

10.3.0.1 via 192.168.0.100 dev eth0 proto static src 10.1.0.1
https://www.strongswan.org/testing/testresults/ipv6/net2net-ip6-in-ip4-ikev2/moon.swanctl.conf

==========================================================================================================================================

#!/bin/bash
# manual-ipsec.sh

# 检查参数
if [ "$6" == "" ]; then
echo "usage: $0 <local_ip> <remote_ip> <new_local_net> <new_local_ip> <new_remote_net> <new_remote_ip>"
echo "creates an ipsec tunnel between two machines"
exit 1
fi

SRC="$1"
DST="$2"
LOCAL="$3"
LOCAL_IP="$4"
REMOTE="$5"
REMOTE_IP="$6"

enc_auth="auth sha1 0xf594d69f00cfcb61aca00d5e2c25fd238f7c5ef1 enc aes 0xe05064cee7c1803f8e901e9b6e732c35"
enc_auth1="auth sha1 0xf594d69f00cfcb61aca00d5e2c25fd238f7c5ef1 enc aes 0xe05064cee7c1803f8e901e9b6e732c35"

#11 aes-128-gmac
#enc_auth="aead rfc4543(gcm(aes)) 0xa411d85dca3d0ac683ff1c596626684b8958c49d 128"
#enc_auth1="aead 'rfc4543(gcm(aes))' 0xa411d85dca3d0ac683ff1c596626684b8958c49d 128"

#22 aes-256-gmac
#enc_auth=" aead rfc4543(gcm(aes)) 0xdb9e4cd9b57d0c7abd48e660997c2b733904fb84b068103d8a0947729952062804604a24 128"
#enc_auth1=" aead 'rfc4543(gcm(aes))' 0xdb9e4cd9b57d0c7abd48e660997c2b733904fb84b068103d8a0947729952062804604a24 128"

#33 aes-gcm-16_128
#enc_auth="aead rfc4106(gcm(aes)) 0xd66b20aa32d7367e80902f38909b184efd098eb4 128"
#enc_auth1="aead 'rfc4106(gcm(aes))' 0xd66b20aa32d7367e80902f38909b184efd098eb4 128"

#44 aes-gcm-16_256
#enc_auth="aead rfc4106(gcm(aes)) 0xb6bc33ddb0d178b21b1767fbac9be3be67548819690efc6ef72ec5e79dccb3f5e0a6ce18 128"
#enc_auth1="aead 'rfc4106(gcm(aes))' 0xb6bc33ddb0d178b21b1767fbac9be3be67548819690efc6ef72ec5e79dccb3f5e0a6ce18 128"

#55 aes-cbc-128 hmac-sha2-256-128
#enc_auth=" auth-trunc hmac(sha256) 0x56741e9db3c065751dd7371aef2caf38b46ac71b4a331f486e9a498e33ba225f 128 enc aes 0x081ee4b8d762e15946a7bec5b52fd511 "
#enc_auth1=" auth-trunc 'hmac(sha256)' 0x56741e9db3c065751dd7371aef2caf38b46ac71b4a331f486e9a498e33ba225f 128 enc aes 0x081ee4b8d762e15946a7bec5b52fd511"

#66 aes-cbc-256 hmac-sha2-256-128
#enc_auth="auth-trunc hmac(sha256) 0x56741e9db3c065751dd7371aef2caf38b46ac71b4a331f486e9a498e33ba225f 128 enc aes 0x3bad052d1c8472be44084407b6e1cca0f7b2a506a3834c2a75862b3576de3430"
#enc_auth1="auth-trunc 'hmac(sha256)' 0x56741e9db3c065751dd7371aef2caf38b46ac71b4a331f486e9a498e33ba225f 128 enc aes 0x3bad052d1c8472be44084407b6e1cca0f7b2a506a3834c2a75862b3576de3430"

#77 aes-cbc-128 hmac-sha2-512-256
#enc_auth="auth-trunc hmac(sha512) 0xc7390d2ebf11d7da0a520fef9180fa6a6df6c85f285191751f15cb83ccebc4b470576722b28f5eb0f1a16a691a3e3863f4f4c19bd5ea025a54226dfff66db123 256 enc aes 0x081ee4b8d762e15946a7bec5b52fd511 "
#enc_auth1="auth-trunc 'hmac(sha512)' 0xc7390d2ebf11d7da0a520fef9180fa6a6df6c85f285191751f15cb83ccebc4b470576722b28f5eb0f1a16a691a3e3863f4f4c19bd5ea025a54226dfff66db123 256 enc aes 0x081ee4b8d762e15946a7bec5b52fd511 "

#88 aes-cbc-256 hmac-sha2-512-256
#enc_auth="auth-trunc hmac(sha512) 0xc7390d2ebf11d7da0a520fef9180fa6a6df6c85f285191751f15cb83ccebc4b470576722b28f5eb0f1a16a691a3e3863f4f4c19bd5ea025a54226dfff66db123 256 enc aes 0x3bad052d1c8472be44084407b6e1cca0f7b2a506a3834c2a75862b3576de3430 "
#enc_auth1="auth-trunc hmac(sha512) 0xc7390d2ebf11d7da0a520fef9180fa6a6df6c85f285191751f15cb83ccebc4b470576722b28f5eb0f1a16a691a3e3863f4f4c19bd5ea025a54226dfff66db123 256 enc aes 0x3bad052d1c8472be44084407b6e1cca0f7b2a506a3834c2a75862b3576de3430"

# 生成 reqid 和 AES 密钥
ID='0x00004005'

sudo ip xfrm state flush && sudo ip xfrm policy flush
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel $enc_auth
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel $enc_auth
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir out tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir in tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir fwd tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip route add $REMOTE dev ens37 src $LOCAL_IP

ssh $DST bash -x << EOF
sudo ip xfrm state flush && sudo ip xfrm policy flush
sudo ip xfrm state add src $SRC dst $DST proto esp spi $ID reqid $ID mode tunnel ${enc_auth1}
sudo ip xfrm state add src $DST dst $SRC proto esp spi $ID reqid $ID mode tunnel ${enc_auth1}
sudo ip xfrm policy add src $REMOTE dst $LOCAL dir out tmpl src $DST dst $SRC proto esp reqid $ID mode tunnel
sudo ip xfrm policy add src $LOCAL dst $REMOTE dir in tmpl src $SRC dst $DST proto esp reqid $ID mode tunnel

sudo ip route add $LOCAL dev ens37 src $REMOTE_IP
EOF

#./xx.sh 192.168.142.50 192.168.142.51 10.0.1.0/24 10.0.1.1 10.0.2.0/24 10.0.2.1

tshark -r 33.cap -Y "ip.src==192.168.142.50&&esp.sequence == 30" -V -T ek | grep 'timestamp' | jq .

└── swanctl
├── bliss
├── conf.d
│   ├── ip6_in_ip4.conf
│   └── xx.conf
├── ecdsa
├── pkcs12
├── pkcs8
├── private
│   └── moonKey.pem
├── pubkey
├── rsa
├── swanctl.conf
├── x509
│   └── moonCert.pem
├── x509aa
├── x509ac
├── x509ca
│   └── strongswanCert.pem
├── x509crl
└── x509ocsp

[root@she strongswan]# cat swanctl/private/moonKey.pem
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIPQeIuX/vDUfl8yImEV6qlpFawgSRCQEArtCXswwrIBw
-----END PRIVATE KEY-----
[root@she strongswan]#

[root@she strongswan]# cat swanctl/x509/moonCert.pem
-----BEGIN CERTIFICATE-----
MIIBcTCCASOgAwIBAgIBATAFBgMrZXAwPzELMAkGA1UEBhMCQ0gxEzARBgNVBAoT
CnN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQTAeFw0yNDA3
MTQxNDM5NDhaFw0yOTA3MTQxNDM5NDhaMEAxCzAJBgNVBAYTAkNIMRMwEQYDVQQK
EwpzdHJvbmdzd2FuMRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYD
K2VwAyEAuM4paUninbOiS4tZkZAk3PG94BwAhXtsWZvcK2BsuA2jQzBBMB8GA1Ud
IwQYMBaAFCcpS2s0llo4uVbZc7tThK2G4pPQMB4GA1UdEQQXMBWCE21vb24uc3Ry
b25nc3dhbi5vcmcwBQYDK2VwA0EA3TiGNZnrebzA/nQ4z6K87yO0gjjgzIMCUJ63
1sn9cRQNee3xsKaCwd4xHEO7RJ8sQCP06E+U3YtQ0UJKlrM9AA==
-----END CERTIFICATE-----
[root@she strongswan]#

[root@she strongswan]# cat swanctl/x509ca/strongswanCert.pem
-----BEGIN CERTIFICATE-----
MIIBdjCCASigAwIBAgIIB41j/ULUtzswBQYDK2VwMD8xCzAJBgNVBAYTAkNIMRMw
EQYDVQQKEwpzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0Ew
HhcNMjQwNzE0MTQzNTUzWhcNMzQwNzE0MTQzNTUzWjA/MQswCQYDVQQGEwJDSDET
MBEGA1UEChMKc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
MCowBQYDK2VwAyEAAl2Hf2K/L59RXmk15vVXzHol9+WewJauofYTsR/wEpqjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQnKUtr
NJZaOLlW2XO7U4SthuKT0DAFBgMrZXADQQCjD+mW3D9bwBVvpR/ydhsrhiIipCkb
0jTPmmfbm7uIBEttORZxTMjpKOGLza0zN1avAiWO4dULx8W9u1quzcII
-----END CERTIFICATE-----
[root@she strongswan]#

[root@she swanctl]# cat x509/sunCert.pem
-----BEGIN CERTIFICATE-----
MIIBbzCCASGgAwIBAgIBATAFBgMrZXAwPzELMAkGA1UEBhMCQ0gxEzARBgNVBAoT
CnN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQTAeFw0yNDA3
MTQxNDQ3NTFaFw0yOTA3MTQxNDQ3NTFaMD8xCzAJBgNVBAYTAkNIMRMwEQYDVQQK
EwpzdHJvbmdzd2FuMRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMr
ZXADIQCf5jZp0xR30uEKfPKri1uf1Hk/IcTtXGjWbk02NxAoNqNCMEAwHwYDVR0j
BBgwFoAUJylLazSWWji5Vtlzu1OErYbik9AwHQYDVR0RBBYwFIISc3VuLnN0cm9u
Z3N3YW4ub3JnMAUGAytlcANBAAtiOeh3Szjl+JECyPmR8AIdbzIr1LdMRZI99BWA
a8/dFjjQ6+5YXqbpMzxX40n/mvqG7z4Motm04FljIrqf6ww=
-----END CERTIFICATE-----
[root@she swanctl]# cat x509ca/
cat: x509ca/: Is a directory
[root@she swanctl]# cat x509ca/strongswanCert.pem
-----BEGIN CERTIFICATE-----
MIIBdjCCASigAwIBAgIIB41j/ULUtzswBQYDK2VwMD8xCzAJBgNVBAYTAkNIMRMw
EQYDVQQKEwpzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0Ew
HhcNMjQwNzE0MTQzNTUzWhcNMzQwNzE0MTQzNTUzWjA/MQswCQYDVQQGEwJDSDET
MBEGA1UEChMKc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB
MCowBQYDK2VwAyEAAl2Hf2K/L59RXmk15vVXzHol9+WewJauofYTsR/wEpqjQjBA
MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBQnKUtr
NJZaOLlW2XO7U4SthuKT0DAFBgMrZXADQQCjD+mW3D9bwBVvpR/ydhsrhiIipCkb
0jTPmmfbm7uIBEttORZxTMjpKOGLza0zN1avAiWO4dULx8W9u1quzcII
-----END CERTIFICATE-----
[root@she swanctl]# cat private/sunKey.pem
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIJuY2WzGVXlV1h1tyZNciCazTnOHoWWnEWpE2oIGd7qL
-----END PRIVATE KEY-----
[root@she swanctl]#

posted on 2024-07-21 22:36 vanness_205 阅读(8) 评论(0) 编辑收藏举报