strongSwan
Add IPsec encryption and authentication
Runs on:
Linux, Microsoft Windows, QNX OS
Description:
QNX OS provides strongSwan version 5.8.2, which allows you to secure IP traffic in policy- and route-based IPsec scenarios. For full information on its use, see the strongSwan documentation: https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation (the archive that includes documentation for pre-5.9 versions of strongSwan).
Plugins:
For QNX OS, the following strongSwan plugins are enabled.
libstrongswan plugins: acert, aes, aesni, agent, attr, bliss, ccm, chapoly, cmac, constraints, ctr, curve25519, des, dnskey, drbg, fips-prf, gcm, hmac, md5, mgf1, nonce, openssl, pem, pgp, pkcs1, pkcs7, pkcs8, pkcs11, pkcs12, pubkey, random, rc2, rdrand, revocation, sha1, sha2, sha3, sshkey, x509, xcbc.
libcharon plugins: addrblock, attr, certexpire, counters, coupling, error-notify, ext-auth, kernel-pfkey, kernel-pfroute, resolve, socket-default, stroke, systime-fix, updown, vici, whitelist, xauth-generic.
Supported algorithms:
QNX OS works with the standard set of strongSwan algorithms, and has extended support for some additional ones.
Use the following swanctl subcommand to list loaded algorithms and their implementation.
swanctl --list-algs
Management tools:
- the ipsec command (based on stroke),
- the swanctl command (based on vici), or
- VICI client functionality integrated into your application (based on davici, provided with QNX OS).
Directories:
The strongSwan binaries are installed in the following locations:
/usr/sbin/charon
/usr/sbin/starter
/usr/sbin/stroke
/usr/sbin/ipsec
/usr/sbin/swanctl
/usr/bin/pki
/usr/lib/ipsec/libcharon.so.0
/usr/lib/ipsec/libstrongswan.so.0
/usr/lib/ipsec/libvici.so.0
/usr/lib/ipsec/libnttfft.so.0"
/usr/lib/ipsec/plugins/error-notify
/usr/lib/ipsec/plugins/whitelist
/usr/lib/ipsec/plugins/bliss_huffman
/usr/lib/ipsec/plugins/libstrongswan-acert.so
/usr/lib/ipsec/plugins/libstrongswan-aesni.so
/usr/lib/ipsec/plugins/libstrongswan-rdrand.so
/usr/lib/ipsec/plugins/libstrongswan-aes.so
/usr/lib/ipsec/plugins/libstrongswan-ccm.so
/usr/lib/ipsec/plugins/libstrongswan-ctr.so
/usr/lib/ipsec/plugins/libstrongswan-des.so
/usr/lib/ipsec/plugins/libstrongswan-gcm.so
/usr/lib/ipsec/plugins/libstrongswan-md5.so
/usr/lib/ipsec/plugins/libstrongswan-pem.so
/usr/lib/ipsec/plugins/libstrongswan-pgp.so
/usr/lib/ipsec/plugins/libstrongswan-rc2.so
/usr/lib/ipsec/plugins/libstrongswan-cmac.so
/usr/lib/ipsec/plugins/libstrongswan-drbg.so
/usr/lib/ipsec/plugins/libstrongswan-hmac.so
/usr/lib/ipsec/plugins/libstrongswan-sha1.so
/usr/lib/ipsec/plugins/libstrongswan-sha2.so
/usr/lib/ipsec/plugins/libstrongswan-sha3.so
/usr/lib/ipsec/plugins/libstrongswan-x509.so
/usr/lib/ipsec/plugins/libstrongswan-xcbc.so
/usr/lib/ipsec/plugins/libstrongswan-nonce.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
/usr/lib/ipsec/plugins/libstrongswan-dnskey.so
/usr/lib/ipsec/plugins/libstrongswan-pubkey.so
/usr/lib/ipsec/plugins/libstrongswan-random.so
/usr/lib/ipsec/plugins/libstrongswan-openssl.so
/usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
/usr/lib/ipsec/plugins/libstrongswan-curve25519.so
/usr/lib/ipsec/plugins/libstrongswan-revocation.so
/usr/lib/ipsec/plugins/libstrongswan-constraints.so
/usr/lib/ipsec/plugins/libstrongswan-agent.so
/usr/lib/ipsec/plugins/libstrongswan-sshkey.so
/usr/lib/ipsec/plugins/libstrongswan-mgf1.so
/usr/lib/ipsec/plugins/libstrongswan-bliss.so
/usr/lib/ipsec/plugins/libstrongswan-chapoly.so
/usr/lib/ipsec/plugins/libstrongswan-addrblock.so
/usr/lib/ipsec/plugins/libstrongswan-certexpire.so
/usr/lib/ipsec/plugins/libstrongswan-attr.so
/usr/lib/ipsec/plugins/libstrongswan-vici.so
/usr/lib/ipsec/plugins/libstrongswan-whitelist.so
/usr/lib/ipsec/plugins/libstrongswan-stroke.so
/usr/lib/ipsec/plugins/libstrongswan-systime-fix.so
/usr/lib/ipsec/plugins/libstrongswan-updown.so
/usr/lib/ipsec/plugins/libstrongswan-resolve.so
/usr/lib/ipsec/plugins/libstrongswan-counters.so
/usr/lib/ipsec/plugins/libstrongswan-coupling.so
/usr/lib/ipsec/plugins/libstrongswan-socket-default.so
/usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
/usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so
/usr/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so
/usr/lib/ipsec/plugins/libstrongswan-error-notify.so
/usr/lib/ipsec/plugins/libstrongswan-ext-auth.so
Example:
This example establishes and terminates a IPSec connection using strongSwan and io-sock.
It connects two QNX OS instances, Sun and Moon, which have the following IP addresses:
Moon: 192.0.2.10
Sun: 192.0.2.20
Use the following steps to set up Moon.
- Create the file strongswan.conf in
/etc/. For example:
swanctl { } charon { }
- Create the directory /etc/swanctl/ and add to it
swanctl.conf. For example:
connections { host-host { local_addrs = 192.0.2.10 remote_addrs = 192.0.2.20 local { auth = psk id = 192.0.2.10 } remote { auth = psk id = 192.0.2.20 } children { host-host { esp_proposals = aes256-esn-noesn replay_window=512 } } version = 2 proposals = aes128-sha256-modp1024 } } secrets { ike-moon { id = 192.0.2.10 secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx } }
- Make sure that the strongSwan binaries are in the proper directories (go to
Directories
). - Make sure that io-sock is running and an appropriate driver is loaded.
- Use charon to start the strongSwan daemon. For example:
charon --use-syslog &
- Run swanctl with the following subcommand to load connection
configurations:
swanctl --load-conns
- Run swanctl with the following subcommand to load
credentials.
swanctl --load-creds
Repeat the previous steps for Sun, but use the following swanctl.conf:
connections {
host-host {
local_addrs = 192.0.2.20
remote_addrs = 192.0.2.10
local {
auth = psk
id = 192.0.2.20
}
remote {
auth = psk
id = 192.0.2.10
}
children {
host-host {
esp_proposals = aes256-esn-noesn
replay_window=512
}
}
version = 2
proposals = aes128-sha256-modp1024
}
}
secrets {
ike-moon {
id = 192.0.2.10
secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
}
}
To establish the connection between Moon and Sun, on Moon, run swanctl with the following subcommand and option:
swanctl --initiate --child host-host
To verify the connection, on either Sun or Moon, run swanctl with the following subcommand:
swanctl --list-sas
Example output from the verification:
host-host: #3, ESTABLISHED, IKEv2, 8f852fd4921c156f_i 68c5ff2775c43666_r*
local '192.0.2.10' @ 192.0.2.10[4500]
remote '192.0.2.20' @ 192.0.2.20[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
established 1975s ago, rekeying in 11587s
host-host: #4, reqid 3, INSTALLED, TUNNEL, ESP:AES_CBC-256/ESN
installed 429s ago, rekeying in 2955s, expires in 3531s
in c161043d, 0 bytes, 0 packets
out c3db9127, 0 bytes, 0 packets
local 192.0.2.10/32
remote 192.0.2.20/32
On Moon, use ping to check that Sun can communicate. For example:
ping 192.0.2.20
Example output from the ping test:
PING 192.0.2.20 (192.0.2.20): 56 data bytes
64 bytes from 192.0.2.20: icmp_seq=0 ttl=64 time=5.183 ms
64 bytes from 192.0.2.20: icmp_seq=1 ttl=64 time=1.503 ms
64 bytes from 192.0.2.20: icmp_seq=2 ttl=64 time=1.656 ms
You can use tcpdump packet analysis to examine the connection at Sun's interface, like the following example output:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...
14:25:17.736517 IP 192.0.2.10 > 192.0.2.20: ESP(spi=0xca574599,seq=0x6), length 120
14:25:17.739616 IP 192.0.2.20 > 192.0.2.10: ESP(spi=0xc467fa3d,seq=0x6), length 120
...
14:25:18.737286 IP 192.0.2.10 > 192.0.2.20: ESP(spi=0xca574599,seq=0x7), length 120
14:25:18.737922 IP 192.0.2.20 > 192.0.2.10: ESP(spi=0xc467fa3d,seq=0x7), length 120
On Moon, use swanctl with the following subcommand and option to terminate the connection:
swanctl --terminate --child host-host
To verify that the connection is terminated, on Moon, use swanctl with the following subcommand:
swanctl --list-sas