strongSwan

QNX SDP8.0Utilities ReferenceUtilities

Add IPsec encryption and authentication

Runs on:

Linux, Microsoft Windows, QNX OS

Description:

QNX OS provides strongSwan version 5.8.2, which allows you to secure IP traffic in policy- and route-based IPsec scenarios. For full information on its use, see the strongSwan documentation: https://wiki.strongswan.org/projects/strongswan/wiki/UserDocumentation (the archive that includes documentation for pre-5.9 versions of strongSwan).

Plugins:

For QNX OS, the following strongSwan plugins are enabled.

libstrongswan plugins: acert, aes, aesni, agent, attr, bliss, ccm, chapoly, cmac, constraints, ctr, curve25519, des, dnskey, drbg, fips-prf, gcm, hmac, md5, mgf1, nonce, openssl, pem, pgp, pkcs1, pkcs7, pkcs8, pkcs11, pkcs12, pubkey, random, rc2, rdrand, revocation, sha1, sha2, sha3, sshkey, x509, xcbc.

libcharon plugins: addrblock, attr, certexpire, counters, coupling, error-notify, ext-auth, kernel-pfkey, kernel-pfroute, resolve, socket-default, stroke, systime-fix, updown, vici, whitelist, xauth-generic.

Supported algorithms:

QNX OS works with the standard set of strongSwan algorithms, and has extended support for some additional ones.

Use the following swanctl subcommand to list loaded algorithms and their implementation.

swanctl --list-algs

Management tools:

You can communicate with charon via:
  • the ipsec command (based on stroke),
  • the swanctl command (based on vici), or
  • VICI client functionality integrated into your application (based on davici, provided with QNX OS).

Directories:

The strongSwan binaries are installed in the following locations:

/usr/sbin/charon
/usr/sbin/starter
/usr/sbin/stroke
/usr/sbin/ipsec
/usr/sbin/swanctl
/usr/bin/pki
/usr/lib/ipsec/libcharon.so.0
/usr/lib/ipsec/libstrongswan.so.0
/usr/lib/ipsec/libvici.so.0
/usr/lib/ipsec/libnttfft.so.0"
/usr/lib/ipsec/plugins/error-notify
/usr/lib/ipsec/plugins/whitelist
/usr/lib/ipsec/plugins/bliss_huffman
/usr/lib/ipsec/plugins/libstrongswan-acert.so
/usr/lib/ipsec/plugins/libstrongswan-aesni.so
/usr/lib/ipsec/plugins/libstrongswan-rdrand.so
/usr/lib/ipsec/plugins/libstrongswan-aes.so
/usr/lib/ipsec/plugins/libstrongswan-ccm.so
/usr/lib/ipsec/plugins/libstrongswan-ctr.so
/usr/lib/ipsec/plugins/libstrongswan-des.so
/usr/lib/ipsec/plugins/libstrongswan-gcm.so
/usr/lib/ipsec/plugins/libstrongswan-md5.so
/usr/lib/ipsec/plugins/libstrongswan-pem.so
/usr/lib/ipsec/plugins/libstrongswan-pgp.so
/usr/lib/ipsec/plugins/libstrongswan-rc2.so
/usr/lib/ipsec/plugins/libstrongswan-cmac.so
/usr/lib/ipsec/plugins/libstrongswan-drbg.so
/usr/lib/ipsec/plugins/libstrongswan-hmac.so
/usr/lib/ipsec/plugins/libstrongswan-sha1.so
/usr/lib/ipsec/plugins/libstrongswan-sha2.so
/usr/lib/ipsec/plugins/libstrongswan-sha3.so
/usr/lib/ipsec/plugins/libstrongswan-x509.so
/usr/lib/ipsec/plugins/libstrongswan-xcbc.so
/usr/lib/ipsec/plugins/libstrongswan-nonce.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs1.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs7.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs8.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs11.so
/usr/lib/ipsec/plugins/libstrongswan-pkcs12.so
/usr/lib/ipsec/plugins/libstrongswan-dnskey.so
/usr/lib/ipsec/plugins/libstrongswan-pubkey.so
/usr/lib/ipsec/plugins/libstrongswan-random.so
/usr/lib/ipsec/plugins/libstrongswan-openssl.so
/usr/lib/ipsec/plugins/libstrongswan-fips-prf.so
/usr/lib/ipsec/plugins/libstrongswan-curve25519.so
/usr/lib/ipsec/plugins/libstrongswan-revocation.so
/usr/lib/ipsec/plugins/libstrongswan-constraints.so
/usr/lib/ipsec/plugins/libstrongswan-agent.so
/usr/lib/ipsec/plugins/libstrongswan-sshkey.so
/usr/lib/ipsec/plugins/libstrongswan-mgf1.so
/usr/lib/ipsec/plugins/libstrongswan-bliss.so
/usr/lib/ipsec/plugins/libstrongswan-chapoly.so
/usr/lib/ipsec/plugins/libstrongswan-addrblock.so
/usr/lib/ipsec/plugins/libstrongswan-certexpire.so
/usr/lib/ipsec/plugins/libstrongswan-attr.so
/usr/lib/ipsec/plugins/libstrongswan-vici.so
/usr/lib/ipsec/plugins/libstrongswan-whitelist.so
/usr/lib/ipsec/plugins/libstrongswan-stroke.so
/usr/lib/ipsec/plugins/libstrongswan-systime-fix.so
/usr/lib/ipsec/plugins/libstrongswan-updown.so
/usr/lib/ipsec/plugins/libstrongswan-resolve.so
/usr/lib/ipsec/plugins/libstrongswan-counters.so
/usr/lib/ipsec/plugins/libstrongswan-coupling.so
/usr/lib/ipsec/plugins/libstrongswan-socket-default.so
/usr/lib/ipsec/plugins/libstrongswan-xauth-generic.so
/usr/lib/ipsec/plugins/libstrongswan-kernel-pfkey.so
/usr/lib/ipsec/plugins/libstrongswan-kernel-pfroute.so
/usr/lib/ipsec/plugins/libstrongswan-error-notify.so
/usr/lib/ipsec/plugins/libstrongswan-ext-auth.so            
        

Example:

This example establishes and terminates a IPSec connection using strongSwan and io-sock.

It connects two QNX OS instances, Sun and Moon, which have the following IP addresses:

Moon: 192.0.2.10

Sun: 192.0.2.20

Use the following steps to set up Moon.

  1. Create the file strongswan.conf in /etc/. For example:
    swanctl {
    }
    charon {
    }
                        
  2. Create the directory /etc/swanctl/ and add to it swanctl.conf. For example:
    connections {
        host-host {
            local_addrs = 192.0.2.10
            remote_addrs = 192.0.2.20
            local {
                auth = psk
                id = 192.0.2.10
             }
             remote {
                 auth = psk
                 id = 192.0.2.20
             }
             children {
                 host-host {
                     esp_proposals = aes256-esn-noesn
                     replay_window=512
                 }
            }
            version = 2
            proposals = aes128-sha256-modp1024
        }
    }
    secrets {
        ike-moon {
            id = 192.0.2.10
            secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
        }
    }
                        
  3. Make sure that the strongSwan binaries are in the proper directories (go to Directories).
  4. Make sure that io-sock is running and an appropriate driver is loaded.
  5. Use charon to start the strongSwan daemon. For example:
    charon --use-syslog &
  6. Run swanctl with the following subcommand to load connection configurations:
    swanctl --load-conns
  7. Run swanctl with the following subcommand to load credentials.
    swanctl --load-creds

Repeat the previous steps for Sun, but use the following swanctl.conf:

connections {
    host-host {
        local_addrs = 192.0.2.20
        remote_addrs = 192.0.2.10
        local {
            auth = psk
            id = 192.0.2.20
         }
         remote {
             auth = psk
             id = 192.0.2.10
         }
         children {
             host-host {
                 esp_proposals = aes256-esn-noesn
                 replay_window=512
             }
        }
        version = 2
        proposals = aes128-sha256-modp1024
    }
}
secrets {
    ike-moon {
        id = 192.0.2.10
        secret = 0sFpZAZqEN6Ti9sqt4ZP5EWcqx
    }
}
                

To establish the connection between Moon and Sun, on Moon, run swanctl with the following subcommand and option:

swanctl --initiate --child host-host

To verify the connection, on either Sun or Moon, run swanctl with the following subcommand:

swanctl --list-sas

Example output from the verification:

host-host: #3, ESTABLISHED, IKEv2, 8f852fd4921c156f_i 68c5ff2775c43666_r*
    local  '192.0.2.10' @ 192.0.2.10[4500]
    remote '192.0.2.20' @ 192.0.2.20[4500]
    AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
    established 1975s ago, rekeying in 11587s
    host-host: #4, reqid 3, INSTALLED, TUNNEL, ESP:AES_CBC-256/ESN
        installed 429s ago, rekeying in 2955s, expires in 3531s
        in  c161043d,      0 bytes,     0 packets
        out c3db9127,      0 bytes,     0 packets
        local  192.0.2.10/32
        remote 192.0.2.20/32

On Moon, use ping to check that Sun can communicate. For example:

ping 192.0.2.20 

Example output from the ping test:

PING 192.0.2.20 (192.0.2.20): 56 data bytes
64 bytes from 192.0.2.20: icmp_seq=0 ttl=64 time=5.183 ms
64 bytes from 192.0.2.20: icmp_seq=1 ttl=64 time=1.503 ms
64 bytes from 192.0.2.20: icmp_seq=2 ttl=64 time=1.656 ms

You can use tcpdump packet analysis to examine the connection at Sun's interface, like the following example output:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on vtnet0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
...
14:25:17.736517 IP 192.0.2.10 > 192.0.2.20: ESP(spi=0xca574599,seq=0x6), length 120
14:25:17.739616 IP 192.0.2.20 > 192.0.2.10: ESP(spi=0xc467fa3d,seq=0x6), length 120
...
14:25:18.737286 IP 192.0.2.10 > 192.0.2.20: ESP(spi=0xca574599,seq=0x7), length 120
14:25:18.737922 IP 192.0.2.20 > 192.0.2.10: ESP(spi=0xc467fa3d,seq=0x7), length 120

On Moon, use swanctl with the following subcommand and option to terminate the connection:

swanctl --terminate --child host-host

To verify that the connection is terminated, on Moon, use swanctl with the following subcommand:

swanctl --list-sas
Page updated: