diff options
| author | Bas van Dijk <v.dijk.bas@gmail.com> | 2017-08-05 14:01:52 +0200 |
|---|---|---|
| committer | Bas van Dijk <v.dijk.bas@gmail.com> | 2018-02-28 10:41:54 +0100 |
| commit | bd24b3addd46ff660d8ad6cc32a58aecd4715374 (patch) | |
| tree | 844b6c0319732d03be366a1bf85af526d5e8f4c9 /nixos/tests/strongswan-swanctl.nix | |
| parent | 04dd1987a3e9c28708d4cc69959b011f81d33a10 (diff) | |
| download | nixpkgs-bd24b3addd46ff660d8ad6cc32a58aecd4715374.tar nixpkgs-bd24b3addd46ff660d8ad6cc32a58aecd4715374.tar.gz nixpkgs-bd24b3addd46ff660d8ad6cc32a58aecd4715374.tar.bz2 nixpkgs-bd24b3addd46ff660d8ad6cc32a58aecd4715374.tar.lz nixpkgs-bd24b3addd46ff660d8ad6cc32a58aecd4715374.tar.xz nixpkgs-bd24b3addd46ff660d8ad6cc32a58aecd4715374.tar.zst nixpkgs-bd24b3addd46ff660d8ad6cc32a58aecd4715374.zip | |
nixos: add the strongswan-swanctl service
The strongswan-swanctl systemd service starts charon-systemd. This implements a IKE daemon very similar to charon, but it's specifically designed for use with systemd. It uses the systemd libraries for a native integration. Instead of using starter and an ipsec.conf based configuration, the daemon is directly managed by systemd and configured with the swanctl configuration backend. See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd Note that the strongswan.conf and swantctl.conf configuration files are automatically generated based on NixOS options under services.strongswan-swanctl.strongswan and services.strongswan-swanctl.swanctl respectively.
Diffstat (limited to 'nixos/tests/strongswan-swanctl.nix')
| -rw-r--r-- | nixos/tests/strongswan-swanctl.nix | 154 |
1 files changed, 154 insertions, 0 deletions
diff --git a/nixos/tests/strongswan-swanctl.nix b/nixos/tests/strongswan-swanctl.nix new file mode 100644 index 00000000000..14be2b9f220 --- /dev/null +++ b/nixos/tests/strongswan-swanctl.nix @@ -0,0 +1,154 @@ +# This strongswan-swanctl test is based on: +# https://www.strongswan.org/testing/testresults/swanctl/rw-psk-ipv4/index.html +# https://github.com/strongswan/strongswan/tree/master/testing/tests/swanctl/rw-psk-ipv4 +# +# The roadwarrior carol sets up a connection to gateway moon. The authentication +# is based on pre-shared keys and IPv4 addresses. Upon the successful +# establishment of the IPsec tunnels, the specified updown script automatically +# inserts iptables-based firewall rules that let pass the tunneled traffic. In +# order to test both tunnel and firewall, carol pings the client alice behind +# the gateway moon. +# +# alice moon carol +# eth1------vlan_0------eth1 eth2------vlan_1------eth1 +# 192.168.0.1 192.168.0.3 192.168.1.3 192.168.1.2 +# +# See the NixOS manual for how to run this test: +# https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively + +import ./make-test.nix ({ pkgs, ...} : + +let + ifAddr = node: iface: (pkgs.lib.head node.config.networking.interfaces.${iface}.ip4).address; + + allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT"; + + # Shared VPN settings: + vlan0 = "192.168.0.0/24"; + version = 2; + secret = "0sFpZAZqEN6Ti9sqt4ZP5EWcqx"; + esp_proposals = [ "aes128gcm128-x25519" ]; + proposals = [ "aes128-sha256-x25519" ]; +in { + name = "strongswan-swanctl"; + meta.maintainers = with pkgs.stdenv.lib.maintainers; [ basvandijk ]; + nodes = { + + alice = { nodes, ... } : { + virtualisation.vlans = [ 0 ]; + networking = { + dhcpcd.enable = false; + defaultGateway = ifAddr nodes.moon "eth1"; + }; + }; + + moon = {pkgs, config, nodes, ...} : + let + carolIp = ifAddr nodes.carol "eth1"; + moonIp = ifAddr nodes.moon "eth2"; + strongswan = config.services.strongswan-swanctl.package; + in { + virtualisation.vlans = [ 0 1 ]; + networking = { + dhcpcd.enable = false; + firewall = { + allowedUDPPorts = [ 4500 500 ]; + extraCommands = allowESP; + }; + nat = { + enable = true; + internalIPs = [ vlan0 ]; + internalInterfaces = [ "eth1" ]; + externalIP = moonIp; + externalInterface = "eth2"; + }; + }; + environment.systemPackages = [ strongswan ]; + services.strongswan-swanctl = { + enable = true; + swanctl = { + connections = { + "rw" = { + local_addrs = [ moonIp ]; + local."main" = { + auth = "psk"; + }; + remote."main" = { + auth = "psk"; + }; + children = { + "net" = { + local_ts = [ vlan0 ]; + updown = "${strongswan}/libexec/ipsec/_updown iptables"; + inherit esp_proposals; + }; + }; + inherit version; + inherit proposals; + }; + }; + secrets = { + ike."carol" = { + id."main" = carolIp; + inherit secret; + }; + }; + }; + }; + }; + + carol = {pkgs, config, nodes, ...} : + let + carolIp = ifAddr nodes.carol "eth1"; + moonIp = ifAddr nodes.moon "eth2"; + strongswan = config.services.strongswan-swanctl.package; + in { + virtualisation.vlans = [ 1 ]; + networking = { + dhcpcd.enable = false; + firewall.extraCommands = allowESP; + }; + environment.systemPackages = [ strongswan ]; + services.strongswan-swanctl = { + enable = true; + swanctl = { + connections = { + "home" = { + local_addrs = [ carolIp ]; + remote_addrs = [ moonIp ]; + local."main" = { + auth = "psk"; + id = carolIp; + }; + remote."main" = { + auth = "psk"; + id = moonIp; + }; + children = { + "home" = { + remote_ts = [ vlan0 ]; + start_action = "trap"; + updown = "${strongswan}/libexec/ipsec/_updown iptables"; + inherit esp_proposals; + }; + }; + inherit version; + inherit proposals; + }; + }; + secrets = { + ike."moon" = { + id."main" = moonIp; + inherit secret; + }; + }; + }; + }; + }; + + }; + testScript = '' + startAll(); + $carol->waitUntilSucceeds("ping -c 1 alice"); + ''; +}) |