Reinitiation of lost Child SAs (#21)

Lots of work went into this change, but the important part is the --enable-reinitiator part. This feature allows strong-duckling to initiate the missing connection when it's not there. To make this work the following improvements were made: * support for better examples, which are focused on testing cases * new example for reconnection * solving issues with the vici implementation * introducing multiple IKESAStatusReceivers, previously known as reporter(s)
lunarway · May 7, 2020 · c11b075 · c11b075
1 parent d5811fe
commit c11b075
Show file tree

Hide file tree

Showing 35 changed files with 772 additions and 246 deletions.
diff --git a/Makefile b/Makefile
@@ -21,4 +21,4 @@ build:
 MOCKERY_ARGS=-case=underscore -inpkg -testonly
 generate/mock:
 	go get github.com/vektra/mockery/.../
-	mockery $(MOCKERY_ARGS) -dir internal/strongswan -name .*Reporter
+	mockery $(MOCKERY_ARGS) -dir internal/strongswan -name .*IKESAStatusReceiver
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -11,14 +11,13 @@ services:
       VPN_LOCAL_NETWORK: 10.101.0.1
       VPN_REMOTE_PEER: strongswan2
       VPN_REMOTE_NETWORK: 10.102.0.1
-      STRONG_DUCKLING_ARGS: "--listen :8000 --tcp-checker nodejs:10.101.0.1:8090 --vici-socket /var/run/charon.vici"
     volumes:
       - type: bind
         source: ./strong-duckling-linux
         target: /strong-duckling
-    ports:
-      - 9001:8000
-      - 9002:8080
+      - type: bind
+        source: ./examples/${EXAMPLE}/left/
+        target: /config
   strongswan2:
     build:
       context: strongswan
@@ -30,14 +29,13 @@ services:
       VPN_LOCAL_NETWORK: 10.102.0.1
       VPN_REMOTE_PEER: strongswan1
       VPN_REMOTE_NETWORK: 10.101.0.1
-      STRONG_DUCKLING_ARGS: "--listen :8000 --tcp-checker 10.101.0.1:8090 --vici-socket /var/run/charon.vici"
-    ports:
-      - 10001:8000
-      - 10002:8080
     volumes:
       - type: bind
         source: ./strong-duckling-linux
         target: /strong-duckling
+      - type: bind
+        source: ./examples/${EXAMPLE}/right
+        target: /config
 
   prometheus:
     image: prom/prometheus:v2.15.2

diff --git a/examples/reconnect/left/supervisord.conf b/examples/reconnect/left/supervisord.conf
@@ -0,0 +1,26 @@
+[supervisorctl]
+serverurl=unix:///var/run/supervisor.sock
+
+[include]
+files=/supervisord-base.conf /supervisord-strong-duckling-restarter.conf
+
+[program:charon]
+command=/prefix-log /usr/sbin/charon-systemd
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:strong-duckling]
+command=/prefix-log /strong-duckling --listen :8000 --enable-reinitiator --vici-socket /var/run/charon.vici
+autostart=false
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:initialize-script]
+command=bash -c "sleep 2; /usr/sbin/swanctl --load-all --noprompt"
+startsecs=0
+autorestart=false
+startretries=1
diff --git a/examples/reconnect/left/swanctl.conf b/examples/reconnect/left/swanctl.conf
@@ -0,0 +1,43 @@
+connections {
+  gw-gw {
+    local_addrs  = {{ .Env.IP }},{{ .Env.VPN_LOCAL_PEER }}
+    remote_addrs = {{ .Env.VPN_REMOTE_PEER }}
+
+    local {
+      auth = psk
+      id = {{ .Env.VPN_LOCAL_PEER }}
+    }
+    remote {
+      auth = psk
+      id = {{ .Env.VPN_REMOTE_PEER }}
+    }
+    children {
+      net-net-0 {
+        local_ts = {{ .Env.VPN_LOCAL_NETWORK }}/32
+        remote_ts = {{ .Env.VPN_REMOTE_NETWORK }}/32
+        updown = /usr/libexec/ipsec/_updown iptables
+
+        rekey_time = 5400
+        rekey_bytes = 500000000
+        rekey_packets = 1000000
+        esp_proposals = aes256-sha256-ecp384
+
+        start_action = start
+        close_action = start
+        dpd_action = start
+      }
+    }
+    version = 2
+    mobike = no
+    reauth_time = 10800
+    proposals = aes256-sha256-ecp384
+  }
+}
+
+secrets {
+  ike-1 {
+    id-local = {{ .Env.VPN_LOCAL_PEER }}
+    id-remote = {{ .Env.VPN_REMOTE_PEER }}
+    secret = "123456"
+  }
+}
diff --git a/examples/reconnect/right/periodic.sh b/examples/reconnect/right/periodic.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+while true; do
+  echo "starting vpn"
+  supervisorctl start charon
+  sleep 2
+  /usr/sbin/swanctl --load-all --noprompt
+
+  sleep 15
+
+  echo "stopping vpn"
+  supervisorctl stop charon
+  sleep 120
+
+done
diff --git a/examples/reconnect/right/supervisord.conf b/examples/reconnect/right/supervisord.conf
@@ -0,0 +1,20 @@
+[supervisorctl]
+serverurl=unix:///var/run/supervisor.sock
+
+[include]
+files=/supervisord-base.conf
+
+[program:charon]
+command=/prefix-log /usr/sbin/charon-systemd
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+autostart=false
+
+[program:periodic]
+command="/config/periodic.sh"
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
diff --git a/examples/reconnect/right/swanctl.conf b/examples/reconnect/right/swanctl.conf
@@ -0,0 +1,43 @@
+connections {
+  gw-gw {
+    local_addrs  = {{ .Env.IP }},{{ .Env.VPN_LOCAL_PEER }}
+    remote_addrs = {{ .Env.VPN_REMOTE_PEER }}
+
+    local {
+      auth = psk
+      id = {{ .Env.VPN_LOCAL_PEER }}
+    }
+    remote {
+      auth = psk
+      id = {{ .Env.VPN_REMOTE_PEER }}
+    }
+    children {
+      net-net-0 {
+        local_ts = {{ .Env.VPN_LOCAL_NETWORK }}/32
+        remote_ts = {{ .Env.VPN_REMOTE_NETWORK }}/32
+        updown = /usr/libexec/ipsec/_updown iptables
+
+        rekey_time = 5400
+        rekey_bytes = 500000000
+        rekey_packets = 1000000
+        esp_proposals = aes256-sha256-ecp384
+
+        start_action = none
+        close_action = none
+        dpd_action = none
+      }
+    }
+    version = 2
+    mobike = no
+    reauth_time = 10800
+    proposals = aes256-sha256-ecp384
+  }
+}
+
+secrets {
+  ike-1 {
+    id-local = {{ .Env.VPN_LOCAL_PEER }}
+    id-remote = {{ .Env.VPN_REMOTE_PEER }}
+    secret = "123456"
+  }
+}
diff --git a/strongswan/server.js → examples/simple/left/server.js b/strongswan/server.js → examples/simple/left/server.js
@@ -1,20 +1,12 @@
 const http = require('http');
 
-const requestListener = function (req, res) {
-  res.writeHead(200);
-  res.end('Hello from ' + process.env.VPN_LOCAL_PEER + "\n");
-}
-
-const server = http.createServer(requestListener);
-server.listen(8080);
-
 async function startTemporary(time) {
   const requestListener = function (req, res) {
     res.writeHead(200);
     res.end('Temporary hello from ' + process.env.VPN_LOCAL_PEER + "\n");
   }
   const server = http.createServer(requestListener);
-  const startedServer = server.listen(8090);
+  const startedServer = server.listen(8080);
   console.log("Started server")
   await new Promise(a => setTimeout(a, time))
   startedServer.close()

diff --git a/examples/simple/left/supervisord.conf b/examples/simple/left/supervisord.conf
@@ -0,0 +1,32 @@
+[supervisorctl]
+serverurl=unix:///var/run/supervisor.sock
+
+[include]
+files=/supervisord-base.conf /supervisord-strong-duckling-restarter.conf
+
+[program:charon]
+command=/prefix-log /usr/sbin/charon-systemd
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:http-server]
+command=/prefix-log node /server.js
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:strong-duckling]
+command=/prefix-log /strong-duckling --listen :8000 --tcp-checker {{ .Env.VPN_REMOTE_NETWORK }}:8080 --vici-socket /var/run/charon.vici
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:initialize-script]
+command=bash -c "sleep 2; /usr/sbin/swanctl --load-all --noprompt"
+startsecs=0
+autorestart=false
+startretries=1
diff --git a/examples/simple/left/swanctl.conf b/examples/simple/left/swanctl.conf
@@ -0,0 +1,43 @@
+connections {
+  gw-gw {
+    local_addrs  = {{ .Env.IP }},{{ .Env.VPN_LOCAL_PEER }}
+    remote_addrs = {{ .Env.VPN_REMOTE_PEER }}
+
+    local {
+      auth = psk
+      id = {{ .Env.VPN_LOCAL_PEER }}
+    }
+    remote {
+      auth = psk
+      id = {{ .Env.VPN_REMOTE_PEER }}
+    }
+    children {
+      net-net-0 {
+        local_ts = {{ .Env.VPN_LOCAL_NETWORK }}/32
+        remote_ts = {{ .Env.VPN_REMOTE_NETWORK }}/32
+        updown = /usr/libexec/ipsec/_updown iptables
+
+        rekey_time = 5400
+        rekey_bytes = 500000000
+        rekey_packets = 1000000
+        esp_proposals = aes256-sha256-ecp384
+
+        start_action = start
+        close_action = start
+        dpd_action = start
+      }
+    }
+    version = 2
+    mobike = no
+    reauth_time = 10800
+    proposals = aes256-sha256-ecp384
+  }
+}
+
+secrets {
+  ike-1 {
+    id-local = {{ .Env.VPN_LOCAL_PEER }}
+    id-remote = {{ .Env.VPN_REMOTE_PEER }}
+    secret = "123456"
+  }
+}
diff --git a/examples/simple/right/server.js b/examples/simple/right/server.js
@@ -0,0 +1,9 @@
+const http = require('http');
+
+const requestListener = function (req, res) {
+  res.writeHead(200);
+  res.end('Hello from ' + process.env.VPN_LOCAL_PEER + "\n");
+}
+
+const server = http.createServer(requestListener);
+server.listen(8080);
diff --git a/examples/simple/right/supervisord.conf b/examples/simple/right/supervisord.conf
@@ -0,0 +1,32 @@
+[supervisorctl]
+serverurl=unix:///var/run/supervisor.sock
+
+[include]
+files=/supervisord-base.conf /supervisord-strong-duckling-restarter.conf
+
+[program:charon]
+command=/prefix-log /usr/sbin/charon-systemd
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:http-server]
+command=/prefix-log node /server.js
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:strong-duckling]
+command=/prefix-log /strong-duckling --listen :8000 --tcp-checker {{ .Env.VPN_REMOTE_NETWORK }}:8080 --vici-socket /var/run/charon.vici
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
+
+[program:initialize-script]
+command=bash -c "sleep 2; /usr/sbin/swanctl --load-all --noprompt"
+startsecs=0
+autorestart=false
+startretries=1
diff --git a/examples/simple/right/swanctl.conf b/examples/simple/right/swanctl.conf
@@ -0,0 +1,43 @@
+connections {
+  gw-gw {
+    local_addrs  = {{ .Env.IP }},{{ .Env.VPN_LOCAL_PEER }}
+    remote_addrs = {{ .Env.VPN_REMOTE_PEER }}
+
+    local {
+      auth = psk
+      id = {{ .Env.VPN_LOCAL_PEER }}
+    }
+    remote {
+      auth = psk
+      id = {{ .Env.VPN_REMOTE_PEER }}
+    }
+    children {
+      net-net-0 {
+        local_ts = {{ .Env.VPN_LOCAL_NETWORK }}/32
+        remote_ts = {{ .Env.VPN_REMOTE_NETWORK }}/32
+        updown = /usr/libexec/ipsec/_updown iptables
+
+        rekey_time = 5400
+        rekey_bytes = 500000000
+        rekey_packets = 1000000
+        esp_proposals = aes256-sha256-ecp384
+
+        start_action = none
+        close_action = none
+        dpd_action = none
+      }
+    }
+    version = 2
+    mobike = no
+    reauth_time = 10800
+    proposals = aes256-sha256-ecp384
+  }
+}
+
+secrets {
+  ike-1 {
+    id-local = {{ .Env.VPN_LOCAL_PEER }}
+    id-remote = {{ .Env.VPN_REMOTE_PEER }}
+    secret = "123456"
+  }
+}