Created rocky-strongswan docker image

strongX509 · strongX509 · commit d03b20b291b2 · 2022-07-29T08:15:39.000+02:00
diff --git a/rocky-strongswan/Dockerfile b/rocky-strongswan/Dockerfile
@@ -0,0 +1,9 @@
+FROM rockylinux
+MAINTAINER Andreas Steffen <andreas.steffen@strongswan.org>
+
+RUN \
+  # install packages
+  dnf install -y epel-release && \
+  dnf makecache --refresh && dnf install -y strongswan
+  # Expose IKE and NAT-T ports
+EXPOSE 500 4500
diff --git a/rocky-strongswan/caKey.pem b/rocky-strongswan/caKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDAjNX0721bMFzAxAkJBDgi0rZS42Z2f+ioWQL2gdVke1+/vuI6pvOs0
+ozsASY+GmOigBwYFK4EEACKhZANiAARpFOA0dr+prcP+aO8ev8Kvh/bQoeIbOVqs
+BeecOQNSdPv9gShYECiFiokU4565RzV2wiFdAU39VUs/4bJ/SlK7bvY3HuMDcjAR
+FXXZbtxXbdg1QlWk1alja3rVRaId6Hg=
+-----END EC PRIVATE KEY-----
diff --git a/rocky-strongswan/client/ecdsa/clientKey.pem b/rocky-strongswan/client/ecdsa/clientKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDkLe1KrVgC0FpshMBfagyVtPQ3kIemzZ3wXimPc0OTAIIV17nwul7b
+CPIuyJtn44ygBwYFK4EEACKhZANiAARRunfdxuvDneKS/OyDNhsHFBL+m1uT6tcK
+9NjMMvdKS7p2wm3ZQs5QXcVAVpIW6PSPiX/WTtlxJBHujg8T/lvs7UCIAT0co+ON
+SENyrHzaTj3k8MMX/+fGoP4QY46UMNQ=
+-----END EC PRIVATE KEY-----
diff --git a/rocky-strongswan/client/swanctl.conf b/rocky-strongswan/client/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         certs = clientCert.pem
+         id = client.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = server.strongswan.org
+      }
+      children {
+         net {
+            remote_ts = 10.1.0.0/16
+
+            esp_proposals = aes256gcm128-ecp384
+            rekey_time = 10m
+         }
+      }
+      version = 2
+      proposals = aes256-sha256-ecp384
+      reauth_time = 15m
+      mobike = no
+   }
+}
+
diff --git a/rocky-strongswan/client/x509/clientCert.pem b/rocky-strongswan/client/x509/clientCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/zCCAYWgAwIBAgIIBIWcaj4wj10wCgYIKoZIzj0EAwMwNTELMAkGA1UEBhMC
+Q0gxDjAMBgNVBAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMB4XDTIy
+MDcyMTAzMDQwNVoXDTI2MDcyMTAzMDQwNVowPTELMAkGA1UEBhMCQ0gxDjAMBgNV
+BAoTBUN5YmVyMR4wHAYDVQQDExVjbGllbnQuc3Ryb25nc3dhbi5vcmcwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAARRunfdxuvDneKS/OyDNhsHFBL+m1uT6tcK9NjMMvdK
+S7p2wm3ZQs5QXcVAVpIW6PSPiX/WTtlxJBHujg8T/lvs7UCIAT0co+ONSENyrHza
+Tj3k8MMX/+fGoP4QY46UMNSjWjBYMB8GA1UdIwQYMBaAFLjSYIqHz0jucV3YUSAj
+WsGq5feyMCAGA1UdEQQZMBeCFWNsaWVudC5zdHJvbmdzd2FuLm9yZzATBgNVHSUE
+DDAKBggrBgEFBQcDAjAKBggqhkjOPQQDAwNoADBlAjAMwc04NsXsXTY3JD41qyTs
++K1zoozk66ifF60ESPaSL9YkWUkEe2eilg9vCKbfqEcCMQC/eCrNK03KPUV2CujQ
+Mr5TkJAVyIW/hhsajGLEL2IVSwL7eNeZrTzsUJrP6bByrpk=
+-----END CERTIFICATE-----
diff --git a/rocky-strongswan/client/x509ca/caCert.pem b/rocky-strongswan/client/x509ca/caCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB3zCCAWWgAwIBAgIIWWpjqeLZ9K8wCgYIKoZIzj0EAwMwNTELMAkGA1UEBhMC
+Q0gxDjAMBgNVBAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMB4XDTIw
+MDMwOTEyMDIwOVoXDTMwMDMwOTEyMDIwOVowNTELMAkGA1UEBhMCQ0gxDjAMBgNV
+BAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAEaRTgNHa/qa3D/mjvHr/Cr4f20KHiGzlarAXnnDkDUnT7/YEoWBAo
+hYqJFOOeuUc1dsIhXQFN/VVLP+Gyf0pSu272Nx7jA3IwERV12W7cV23YNUJVpNWp
+Y2t61UWiHeh4o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd
+BgNVHQ4EFgQUuNJgiofPSO5xXdhRICNawarl97IwCgYIKoZIzj0EAwMDaAAwZQIw
+PR1T8MHS+aV9qSueIE9QfPRgEVyvuaz2g4q7DN51SUfypjYoAX+B6BqiR7vfgY2Y
+AjEA65R8XZy0N6LEYgAEPPbQSyCdJudoa4MwidaomSwwgiVDePN356onk/lhURmE
+QBaZ
+-----END CERTIFICATE-----
diff --git a/rocky-strongswan/docker-compose.yml b/rocky-strongswan/docker-compose.yml
@@ -0,0 +1,49 @@
+version: "3"
+
+services:
+  vpn-server:
+    image: strongx509/rocky-linux:latest
+    container_name: vpn-server
+    cap_add:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_MODULE
+    stdin_open: true
+    tty: true
+    volumes:
+      - ./server:/etc/strongswan/swanctl
+      - ./strongswan.conf:/etc/strongswan/strongswan.conf
+    networks:
+      internet:
+         ipv4_address: 192.168.0.2
+      intranet:
+         ipv4_address: 10.1.0.2
+  vpn-client:
+    image: strongx509/rocky-linux:latest
+    container_name: vpn-client
+    depends_on:
+      - vpn-server
+    cap_add:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_MODULE
+    stdin_open: true
+    tty: true
+    volumes:
+      - ./client:/etc/strongswan/swanctl
+      - ./strongswan.conf:/etc/strongswan/strongswan.conf
+    networks:
+      internet:
+         ipv4_address: 192.168.0.3
+
+networks:
+  internet:
+    ipam:
+      driver: default 
+      config:
+        - subnet: 192.168.0.0/24
+  intranet:
+     ipam:
+        driver: default
+        config:
+          - subnet: 10.1.0.0/16 
diff --git a/rocky-strongswan/scripts/gen_certs.sh b/rocky-strongswan/scripts/gen_certs.sh
@@ -0,0 +1,21 @@
+pki --gen --type ecdsa --size 384 --outform pem > caKey.pem
+
+pki --self --type ecdsa --in caKey.pem --ca --lifetime 3652 \
+    --dn "C=CH, O=Cyber, CN=Cyber Root CA"                  \
+    --outform pem > caCert.pem
+
+pki --gen --type ecdsa --size 384 --outform pem > serverKey.pem
+
+pki --issue --cacert caCert.pem --cakey caKey.pem   \
+    --type ecdsa --in serverKey.pem --lifetime 1461 \
+    --dn "C=CH, O=Cyber, CN=server.strongswan.org"  \
+    --san server.strongswan.org --flag serverAuth   \
+    --outform pem > serverCert.pem
+
+pki --gen --type ecdsa --size 384 --outform pem > clientKey.pem
+
+pki --issue --cacert caCert.pem --cakey caKey.pem    \
+     --type ecdsa --in clientKey.pem --lifetime 1461 \
+     --dn "C=CH, O=Cyber, CN=client.strongswan.org"  \
+     --san client.strongswan.org --flag clientAuth   \
+     --outform pem > clientCert.pem
diff --git a/rocky-strongswan/scripts/gen_dirs.sh b/rocky-strongswan/scripts/gen_dirs.sh
@@ -0,0 +1,8 @@
+#! /bin/sh
+
+for dir in client server
+do
+  cd $dir
+  mkdir -p bliss pkcs12 pkcs8 private pubkey rsa x509aa x509ac x509crl x509ocsp
+  cd ..
+done
diff --git a/rocky-strongswan/scripts/renew_certs.sh b/rocky-strongswan/scripts/renew_certs.sh
@@ -0,0 +1,15 @@
+pki --gen --type ecdsa --size 384 --outform pem > serverKey.pem
+
+pki --issue --cacert caCert.pem --cakey caKey.pem   \
+    --type ecdsa --in serverKey.pem --lifetime 1461 \
+    --dn "C=CH, O=Cyber, CN=server.strongswan.org"  \
+    --san server.strongswan.org --flag serverAuth   \
+    --outform pem > serverCert.pem
+
+pki --gen --type ecdsa --size 384 --outform pem > clientKey.pem
+
+pki --issue --cacert caCert.pem --cakey caKey.pem    \
+     --type ecdsa --in clientKey.pem --lifetime 1461 \
+     --dn "C=CH, O=Cyber, CN=client.strongswan.org"  \
+     --san client.strongswan.org --flag clientAuth   \
+     --outform pem > clientCert.pem
diff --git a/rocky-strongswan/server/ecdsa/serverKey.pem b/rocky-strongswan/server/ecdsa/serverKey.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGkAgEBBDDpohH7Pq5abXcTYtfa8Y1bEv2JWjGVnzZnkbcXbas2ZlB5bf43vxJ2
+8FP4XmLVkySgBwYFK4EEACKhZANiAAQSeu5884G2ZeQMK60f8mLyFrqn3I8hFxtu
+BhdsX+YGh24cimdOaLwQIGlNHgqusKcBnhOolAfe1YhOqZ8PjRctaopintt1qarF
+A3WGboXMT3MiclUhERdudlk9ATNeg1E=
+-----END EC PRIVATE KEY-----
diff --git a/rocky-strongswan/server/swanctl.conf b/rocky-strongswan/server/swanctl.conf
@@ -0,0 +1,29 @@
+connections {
+
+rw {
+      local {
+         auth = pubkey
+         certs = serverCert.pem
+         id = server.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         cacerts = caCert.pem
+      }
+      children {
+         net {
+            local_ts = 10.1.0.0/24
+
+            esp_proposals = aes256gcm128-ecp384
+            rekey_time = 10m
+            dpd_action = trap
+         }
+      }
+      version = 2
+      proposals = aes256-sha256-ecp384
+      reauth_time = 15m
+      dpd_delay = 60s
+      mobike = no
+   }
+}
+
diff --git a/rocky-strongswan/server/x509/serverCert.pem b/rocky-strongswan/server/x509/serverCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB/jCCAYWgAwIBAgIIcU8jP3aAjFgwCgYIKoZIzj0EAwMwNTELMAkGA1UEBhMC
+Q0gxDjAMBgNVBAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMB4XDTIy
+MDcyMTAzMDQwNVoXDTI2MDcyMTAzMDQwNVowPTELMAkGA1UEBhMCQ0gxDjAMBgNV
+BAoTBUN5YmVyMR4wHAYDVQQDExVzZXJ2ZXIuc3Ryb25nc3dhbi5vcmcwdjAQBgcq
+hkjOPQIBBgUrgQQAIgNiAAQSeu5884G2ZeQMK60f8mLyFrqn3I8hFxtuBhdsX+YG
+h24cimdOaLwQIGlNHgqusKcBnhOolAfe1YhOqZ8PjRctaopintt1qarFA3WGboXM
+T3MiclUhERdudlk9ATNeg1GjWjBYMB8GA1UdIwQYMBaAFLjSYIqHz0jucV3YUSAj
+WsGq5feyMCAGA1UdEQQZMBeCFXNlcnZlci5zdHJvbmdzd2FuLm9yZzATBgNVHSUE
+DDAKBggrBgEFBQcDATAKBggqhkjOPQQDAwNnADBkAjA0x/9mckjUi2FbNBr/+U9F
+Ko6+2E11e6Bj9fc6aiwmblLdUrO5UfcC3HciHlHI7NQCMEgevkGwceM9XFebtP4A
+5ER/60lvkoJ1L5rvU7S91F07rMRB49iadEUb7JqqOaFxeQ==
+-----END CERTIFICATE-----
diff --git a/rocky-strongswan/server/x509ca/caCert.pem b/rocky-strongswan/server/x509ca/caCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB3zCCAWWgAwIBAgIIWWpjqeLZ9K8wCgYIKoZIzj0EAwMwNTELMAkGA1UEBhMC
+Q0gxDjAMBgNVBAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMB4XDTIw
+MDMwOTEyMDIwOVoXDTMwMDMwOTEyMDIwOVowNTELMAkGA1UEBhMCQ0gxDjAMBgNV
+BAoTBUN5YmVyMRYwFAYDVQQDEw1DeWJlciBSb290IENBMHYwEAYHKoZIzj0CAQYF
+K4EEACIDYgAEaRTgNHa/qa3D/mjvHr/Cr4f20KHiGzlarAXnnDkDUnT7/YEoWBAo
+hYqJFOOeuUc1dsIhXQFN/VVLP+Gyf0pSu272Nx7jA3IwERV12W7cV23YNUJVpNWp
+Y2t61UWiHeh4o0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAd
+BgNVHQ4EFgQUuNJgiofPSO5xXdhRICNawarl97IwCgYIKoZIzj0EAwMDaAAwZQIw
+PR1T8MHS+aV9qSueIE9QfPRgEVyvuaz2g4q7DN51SUfypjYoAX+B6BqiR7vfgY2Y
+AjEA65R8XZy0N6LEYgAEPPbQSyCdJudoa4MwidaomSwwgiVDePN356onk/lhURmE
+QBaZ
+-----END CERTIFICATE-----
diff --git a/rocky-strongswan/strongswan.conf b/rocky-strongswan/strongswan.conf
@@ -0,0 +1,16 @@
+# strongSwan configuration file
+
+charon {
+   load = random nonce pem x509 openssl constraints pki socket-default kernel-netlink vici swanctl resolve
+   
+   start-scripts {
+      creds = swanctl --load-creds
+      conns = swanctl --load-conns
+   }
+   filelog {
+      stderr {
+         default = 1
+      }
+   }
+   # make_before_break = yes
+}  
