Skip to content

pengwenxing/strongswan-gmalg-merge

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Strongswan with GM algorithm integration

Acknowledgement

The most part of the GM algorithm and integrate modification is contributed by Zhangke, code base is at zhangke5959/strongswan.

And also thanks to:

Allen Lee and his contribution

Lin Chen and his commit 40eefd8,214cb34e

In this repo, we merged the integrate modification to the strongswan master branch and fixed some code bug reported by the complier, so the GM algorithm can be integrated with latest strongswan release.

Also, you may refer strongswan orginal README, if needed.

Build essential

For success build, the following essential build environment shall be satisfied :

  • For Debian/Ubuntu
apt install build-essential autoconf libtool pkg-config gettext perl python flex bison gperf libgmp-dev libssl-dev

Build & Install

Currently, the strongswan with Chinese SM2\SM3\SM4 algorithm is not officially supported by the maintainer nor widely tested, to avoid conflict with the official bin installation , we suggest install strongswan-gmalg in specified directory

./autogen.sh
./build.sh linux /opt/ss-gmalg

The build & install step shall be executed on both server or client platform (If required)

Prepare the certificate

According to GB/T 36968-2018 requirement, the participant of the peers shall be identified by the SM2 certificate during IKE negotiation

cd /opt/ss-gmalg

#For CA private key
bin/pki --gen --type sm2 --outform pem > etc/swanctl/private/ca.key.pem

#For self-signed CA certificate
bin/pki --self --in etc/swanctl/private/ca.key.pem --type sm2 --digest sm3 --dn "C=Country, O=Company Name, CN=Unit Name" --ca --lifetime 3650 --outform pem > etc/swanctl/x509ca/ca.cert.pem

#For VPN server private key
bin/pki --gen --type sm2 --outform pem > etc/swanctl/private/server.key.pem

#For VPN server public key
#Not sure whether the public key is used or not
bin/pki --pub --type sm2 --in etc/swanctl/private/server.key.pem --outform pem > etc/swanctl/pubkey/server.pub.key.pem

#For VPN server certificate key
bin/pki --req --in etc/swanctl/private/server.key.pem --type sm2 --dn "C=Country, O=Company Name, CN=Unit Name" --digest sm3 --outform pem | bin/pki --issue --type pkcs10 --digest sm3 --lifetime 1200 --cacert etc/swanctl/x509ca/ca.cert.pem --cakey etc/swanctl/private/ca.key.pem --flag serverAuth --flag ikeIntermediate --outform pem  --san="Alt name for server" > etc/swanctl/x509/server.cert.pem

#For client private key [Testing purpose only,the client private key shall be generated by client itself]
bin/pki --gen --type sm2 --outform pem > /tmp/client.key.pem
bin/pki --req --in /tmp/client.key.pem --type sm2 --dn "C=Country, O=Company Name, CN=End Entity Name" --digest sm3 --outform pem | bin/pki --issue --type pkcs10 --digest sm3 --lifetime 1200 --cacert etc/swanctl/x509ca/ca.cert.pem --cakey etc/swanctl/private/ca.key.pem --outform pem  --san="Alt name for end entity" > /tmp/client.cert.pem

Test & Run

  1. Prepare the certificate for the Client or End Entity

    Copy the certificate generated by preceding procedure /tmp/client.key.pem and /tmp/client.cert.pem to strongswan installation directory, which shall be ./etc/swanctl/private/ and ./etc/swanctl/x509/

    Copy the CA certifacate, from server /opt/ss-gmalg/etc/swanctl/x509ca/ca.cert.pem into client ca directory like ./etc/swanctl/x509ca/ca.cert.pem

    NOTE . stands for installation dir

  2. Start the charon daemon on both server and client

    libexec/ipsec/charon > /var/log/charon.log 2>&1 &
  3. Prepare the connect configuration

    • Network structure

      Set up between the two gateways:

         10.0.0.0/24 -- | server.wanip | === | client.lanip | -- 172.26.48.0/20
         server-lan          server                 client           client-lan
      

      In this scenario we assume two security gateways server and client will connect the two subnets server-lan and client-lan with each other through a VPN tunnel,and the client is behind a NAT network.

      Also, the server also has a server.lanip which belongs to 10.0.0.0/24.

    • On server side

      Edit /opt/ss-gmalg/etc/swanctl/conf.d/server.conf, add following:

      connections {
          gw-ent1 {
              proposals = sm4cbc-sm3-sm2dh
      
              local {
                  auth = pubkey
                  id = "Alt name for server"
                  certs = server.cert.pem
              }
              remote {
                  auth = pubkey
                  id = "Alt name for end entity"
              }
              children {
                  gw-ent1 {
                      local_ts  = 10.0.0.0/24
                      remote_ts = 172.26.48.0/20
                      esp_proposals = sm4cbc-sm3-sm2dh
                      updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables
                  }
              }
          }
      }
      
    • On client side

      Edit /opt/ss-gmalg/etc/swanctl/conf.d/client.conf, add following:

      connections {
          gw-ent1 {
              proposals = sm4cbc-sm3-sm2dh
      
              remote_addrs = your.server.wan.ip
      
              local {
                  auth = pubkey
                  id = "Alt name for end entity"
                  certs = client.cert.pem
              }
              remote {
                  auth = pubkey
                  id = "Alt name for server"
              }
              children {
                  gw-ent1 {
                      remote_ts  = 10.0.0.0/24
                      local_ts = 172.26.48.0/20
                      esp_proposals = sm4cbc-sm3-sm2dh
                      updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables
                  }
              }
          }
      }
      

    Note: /opt/ss-gmalg shall be replaced by actual installation path

  4. Load server connection config and inspect log

    • Try

      /opt/ss-gmalg/sbin/swanctl --load-all --clear
    • Success output

      loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509/server.cert.pem'
      loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509ca/ca.cert.pem'
      loaded certificate from '/opt/ss-gmalg/etc/swanctl/pubkey/server.pub.key.pem'
      loaded SM2 key from '/opt/ss-gmalg/etc/swanctl/private/ca.key.pem'
      loaded SM2 key from '/opt/ss-gmalg/etc/swanctl/private/server.key.pem'
      no authorities found, 0 unloaded
      no pools found, 0 unloaded
      loaded connection 'gw-ent1'
      successfully loaded 1 connections, 0 unloaded
    • Inspect logs

      /opt/ss-gmalg/sbin/swanctl -T
  5. Load connection config and initiate connection

    • Try

      /opt/ss-gmalg/sbin/swanctl --load-all --clear
    • Success output

      loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509/client.cert.pem'
      loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509ca/ca.cert.pem'
      loaded SM2 key from '/opt/ss-gmalg/etc/swanctl/private/client.key.pem'
      no authorities found, 0 unloaded
      no pools found, 0 unloaded
      loaded connection 'gw-ent1'
      successfully loaded 1 connections, 0 unloaded
    • Try

      /opt/ipsec/sbin/swanctl -i --child gw-ent1
    • Client success output

      [IKE] initiating IKE_SA gw-ent1[17] to your.server.wan.ip
      [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      [NET] sending packet: from your.client.lan.ip[500] to your.server.wan.ip[500] (274 bytes)
      [NET] received packet: from your.server.wan.ip[500] to your.client.lan.ip[500] (307 bytes)
      [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      [CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2
      [IKE] local host is behind NAT, sending keep alives
      [IKE] remote host is behind NAT
      [IKE] received cert request for "C=Country, O=Company Name, CN=End Entity Name"
      [IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name"
      [IKE] sending cert request for "C=cn, O=haoyuanee, CN=VPN CA"
      [IKE] authentication of 'Alt name for end entity' (myself) with SM2_WITH_SM3 successful
      [IKE] sending end entity cert "C=Country, O=Company Name, CN=End Entity Name"
      [IKE] establishing CHILD_SA gw-ent1{29}
      [ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      [NET] sending packet: from your.client.lan.ip[4500] to your.server.wan.ip[4500] (864 bytes)
      [NET] received packet: from your.server.wan.ip[4500] to your.client.lan.ip[4500] (816 bytes)
      [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
      [IKE] received end entity cert "C=Country, O=Company Name, CN=Unit Name"
      [CFG]   using certificate "C=Country, O=Company Name, CN=Unit Name"
      [CFG]   using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name"
      [CFG] checking certificate status of "C=Country, O=Company Name, CN=Unit Name"
      [CFG] certificate status is not available
      [CFG]   reached self-signed root ca with a path length of 0
      [IKE] authentication of 'Alt name for server' with SM2_WITH_SM3 successful
      [IKE] IKE_SA gw-ent1[17] established between your.client.lan.ip[Alt name for end entity]...your.server.wan.ip[Alt name for server]
      [IKE] scheduling rekeying in 13655s
      [IKE] maximum IKE_SA lifetime 15095s
      [CFG] selected proposal: ESP:SM4_CBC_128/HMAC_SM3/NO_EXT_SEQ
      [IKE] CHILD_SA gw-ent1{29} established with SPIs e59b16ff_i 4a46d97b_o and TS 172.26.48.0/20 === 10.0.0.0/24
      initiate completed successfully
      
    • Log on server side expected

      11[NET] received packet: from your.client.wan.ip[2712] to you.actual.server.lanip[500] (274 bytes)
      11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
      11[IKE] your.client.wan.ip is initiating an IKE_SA
      11[CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2
      11[IKE] local host is behind NAT, sending keep alives
      11[IKE] remote host is behind NAT
      11[IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name"
      11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
      11[NET] sending packet: from you.actual.server.lanip[500] to your.client.wan.ip[2712] (307 bytes)
      09[NET] received packet: from your.client.wan.ip[3016] to you.actual.server.lanip[4500] (864 bytes)
      09[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
      09[IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name"
      09[IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name"
      09[IKE] received end entity cert "C=Country, O=Company Name, CN=End Entity Name"
      09[CFG] looking for peer configs matching you.actual.server.lanip[Alt name for server]...your.client.wan.ip[Alt name for end entity]
      09[CFG] selected peer config 'gw-ent1'
      09[CFG]   using certificate "C=Country, O=Company Name, CN=End Entity Name"
      09[CFG]   using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name"
      09[CFG] checking certificate status of "C=Country, O=Company Name, CN=End Entity Name"
      09[CFG] certificate status is not available
      09[CFG]   reached self-signed root ca with a path length of 0
      09[IKE] authentication of 'Alt name for end entity' with SM2_WITH_SM3 successful
      09[IKE] peer supports MOBIKE
      09[IKE] authentication of 'Alt name for server' (myself) with SM2_WITH_SM3 successful
      09[IKE] IKE_SA gw-ent1[5] established between you.actual.server.lanip[Alt name for server]...your.client.wan.ip[Alt name for end entity]
      09[IKE] scheduling rekeying in 12989s
      09[IKE] maximum IKE_SA lifetime 14429s
      09[IKE] sending end entity cert "C=Country, O=Company Name, CN=Unit Name"
      09[CFG] selected proposal: ESP:SM4_CBC_128/HMAC_SM3/NO_EXT_SEQ
      09[IKE] CHILD_SA gw-ent1{11} established with SPIs 4a46d97b_i e59b16ff_o and TS 10.0.0.0/24 === 172.26.48.0/20
      09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
      09[NET] sending packet: from you.actual.server.lanip[4500] to your.client.wan.ip[3016] (816 bytes)
      14[IKE] sending keep alive to your.client.wan.ip[3016]
      12[IKE] sending keep alive to your.client.wan.ip[3016]
      
    • Now you may try ping you.actual.server.lanip from client side

      ping you.actual.server.lanip
    • Or ping your.client.lan.ip from the server side

      ping you.actual.server.lanip
  6. If you want to access the lan behind the gateway, you shall add static route to your gateway's router, route server-lan to client-ip or/and route client-lan to server,lanip

Releases

No releases published

Packages

No packages published

Languages

  • C 84.1%
  • Roff 7.1%
  • Shell 3.7%
  • Java 2.3%
  • Makefile 1.3%
  • M4 0.5%
  • Other 1.0%