# strongswan-gmalg-merge **Repository Path**: abldg/strongswan-gmalg-merge ## Basic Information - **Project Name**: strongswan-gmalg-merge - **Description**: 此版本需要配合【openssl-1.1.1w】 版本进行编译 - **Primary Language**: Unknown - **License**: GPL-2.0 - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 0 - **Forks**: 1 - **Created**: 2025-02-17 - **Last Updated**: 2025-07-07 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # Strongswan with GM algorithm integration # ## Acknowledgement ## The most part of the GM algorithm and integrate modification is contributed by [Zhangke](https://github.com/zhangke5959), code base is at [zhangke5959/strongswan](https://github.com/zhangke5959/strongswan). And also thanks to: [Allen Lee](https://github.com/allen0228) and his [contribution](https://github.com/zhangke5959/strongswan/issues/11#issuecomment-764075441) [Lin Chen](https://github.com/lynchen) and his commit [40eefd8](https://github.com/lynchen/strongswan-gmalg/commit/40eefd800a1347e8c475a637a1cf9ffe4521114f),[214cb34e](https://github.com/lynchen/strongswan-gmalg/commit/214cb34e7033c6e43e7dea25ff5bacee7a014148) In this repo, we merged the integrate modification to the [strongswan master branch](https://github.com/strongswan/strongswan) and fixed some code bug reported by the complier, so the GM algorithm can be integrated with latest [strongswan](https://github.com/strongswan/strongswan) release. Also, you may refer `strongswan` orginal [README](https://github.com/strongswan/strongswan), if needed. ## Build essential ## For success build, the following essential build environment shall be satisfied : - For Debian/Ubuntu ```bash apt install build-essential autoconf libtool pkg-config gettext perl python flex bison gperf libgmp-dev libssl-dev ``` ## Build & Install ## Currently, the strongswan with Chinese SM2\SM3\SM4 algorithm is not officially supported by the maintainer nor widely tested, to avoid conflict with the official bin installation , we suggest install strongswan-gmalg in specified directory ```bash ./autogen.sh ./build.sh linux /opt/ss-gmalg ``` The build & install step shall be executed on both server or client platform (If required) ## Prepare the certificate ## According to *`GB/T 36968-2018`* requirement, the participant of the peers shall be identified by the SM2 certificate during IKE negotiation ```bash cd /opt/ss-gmalg #For CA private key bin/pki --gen --type sm2 --outform pem > etc/swanctl/private/ca.key.pem #For self-signed CA certificate bin/pki --self --in etc/swanctl/private/ca.key.pem --type sm2 --digest sm3 --dn "C=Country, O=Company Name, CN=Unit Name" --ca --lifetime 3650 --outform pem > etc/swanctl/x509ca/ca.cert.pem #For VPN server private key bin/pki --gen --type sm2 --outform pem > etc/swanctl/private/server.key.pem #For VPN server public key #Not sure whether the public key is used or not bin/pki --pub --type sm2 --in etc/swanctl/private/server.key.pem --outform pem > etc/swanctl/pubkey/server.pub.key.pem #For VPN server certificate key bin/pki --req --in etc/swanctl/private/server.key.pem --type sm2 --dn "C=Country, O=Company Name, CN=Unit Name" --digest sm3 --outform pem | bin/pki --issue --type pkcs10 --digest sm3 --lifetime 1200 --cacert etc/swanctl/x509ca/ca.cert.pem --cakey etc/swanctl/private/ca.key.pem --flag serverAuth --flag ikeIntermediate --outform pem --san="Alt name for server" > etc/swanctl/x509/server.cert.pem #For client private key [Testing purpose only,the client private key shall be generated by client itself] bin/pki --gen --type sm2 --outform pem > /tmp/client.key.pem bin/pki --req --in /tmp/client.key.pem --type sm2 --dn "C=Country, O=Company Name, CN=End Entity Name" --digest sm3 --outform pem | bin/pki --issue --type pkcs10 --digest sm3 --lifetime 1200 --cacert etc/swanctl/x509ca/ca.cert.pem --cakey etc/swanctl/private/ca.key.pem --outform pem --san="Alt name for end entity" > /tmp/client.cert.pem ``` ## Test & Run ## 1. Prepare the certificate for the Client or End Entity Copy the certificate generated by preceding procedure `/tmp/client.key.pem` and `/tmp/client.cert.pem` to strongswan installation directory, which shall be `./etc/swanctl/private/` and `./etc/swanctl/x509/` Copy the CA certifacate, from server `/opt/ss-gmalg/etc/swanctl/x509ca/ca.cert.pem` into client ca directory like `./etc/swanctl/x509ca/ca.cert.pem` **NOTE** **`.`** stands for installation dir 2. Start the charon daemon on both server and client ```bash libexec/ipsec/charon > /var/log/charon.log 2>&1 & ``` 3. Prepare the connect configuration - Network structure Set up between the two gateways: 10.0.0.0/24 -- | server.wanip | === | client.lanip | -- 172.26.48.0/20 server-lan server client client-lan In this scenario we assume two security gateways **server** and **client** will connect the two subnets _server-lan_ and _client-lan_ with each other through a VPN tunnel,and the client is **behind a NAT network**. Also, the server also has a `server.lanip` which belongs to `10.0.0.0/24`. - On server side Edit `/opt/ss-gmalg`/etc/swanctl/conf.d/server.conf, add following: ``` connections { gw-ent1 { proposals = sm4cbc-sm3-sm2dh local { auth = pubkey id = "Alt name for server" certs = server.cert.pem } remote { auth = pubkey id = "Alt name for end entity" } children { gw-ent1 { local_ts = 10.0.0.0/24 remote_ts = 172.26.48.0/20 esp_proposals = sm4cbc-sm3-sm2dh updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables } } } } ``` - On client side Edit `/opt/ss-gmalg`/etc/swanctl/conf.d/client.conf, add following: ``` connections { gw-ent1 { proposals = sm4cbc-sm3-sm2dh remote_addrs = your.server.wan.ip local { auth = pubkey id = "Alt name for end entity" certs = client.cert.pem } remote { auth = pubkey id = "Alt name for server" } children { gw-ent1 { remote_ts = 10.0.0.0/24 local_ts = 172.26.48.0/20 esp_proposals = sm4cbc-sm3-sm2dh updown = /opt/ss-gmalg/libexec/ipsec/_updown iptables } } } } ``` **Note:** `/opt/ss-gmalg` shall be replaced by actual installation path 4. Load server connection config and inspect log - Try ```bash /opt/ss-gmalg/sbin/swanctl --load-all --clear ``` - Success output ```bash loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509/server.cert.pem' loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509ca/ca.cert.pem' loaded certificate from '/opt/ss-gmalg/etc/swanctl/pubkey/server.pub.key.pem' loaded SM2 key from '/opt/ss-gmalg/etc/swanctl/private/ca.key.pem' loaded SM2 key from '/opt/ss-gmalg/etc/swanctl/private/server.key.pem' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'gw-ent1' successfully loaded 1 connections, 0 unloaded ``` - Inspect logs ```bash /opt/ss-gmalg/sbin/swanctl -T ``` 5. Load connection config and initiate connection - Try ```bash /opt/ss-gmalg/sbin/swanctl --load-all --clear ``` - Success output ```bash loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509/client.cert.pem' loaded certificate from '/opt/ss-gmalg/etc/swanctl/x509ca/ca.cert.pem' loaded SM2 key from '/opt/ss-gmalg/etc/swanctl/private/client.key.pem' no authorities found, 0 unloaded no pools found, 0 unloaded loaded connection 'gw-ent1' successfully loaded 1 connections, 0 unloaded ``` - Try ```bash /opt/ipsec/sbin/swanctl -i --child gw-ent1 ``` - Client success output ```log [IKE] initiating IKE_SA gw-ent1[17] to your.server.wan.ip [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from your.client.lan.ip[500] to your.server.wan.ip[500] (274 bytes) [NET] received packet: from your.server.wan.ip[500] to your.client.lan.ip[500] (307 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2 [IKE] local host is behind NAT, sending keep alives [IKE] remote host is behind NAT [IKE] received cert request for "C=Country, O=Company Name, CN=End Entity Name" [IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name" [IKE] sending cert request for "C=cn, O=haoyuanee, CN=VPN CA" [IKE] authentication of 'Alt name for end entity' (myself) with SM2_WITH_SM3 successful [IKE] sending end entity cert "C=Country, O=Company Name, CN=End Entity Name" [IKE] establishing CHILD_SA gw-ent1{29} [ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from your.client.lan.ip[4500] to your.server.wan.ip[4500] (864 bytes) [NET] received packet: from your.server.wan.ip[4500] to your.client.lan.ip[4500] (816 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] [IKE] received end entity cert "C=Country, O=Company Name, CN=Unit Name" [CFG] using certificate "C=Country, O=Company Name, CN=Unit Name" [CFG] using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name" [CFG] checking certificate status of "C=Country, O=Company Name, CN=Unit Name" [CFG] certificate status is not available [CFG] reached self-signed root ca with a path length of 0 [IKE] authentication of 'Alt name for server' with SM2_WITH_SM3 successful [IKE] IKE_SA gw-ent1[17] established between your.client.lan.ip[Alt name for end entity]...your.server.wan.ip[Alt name for server] [IKE] scheduling rekeying in 13655s [IKE] maximum IKE_SA lifetime 15095s [CFG] selected proposal: ESP:SM4_CBC_128/HMAC_SM3/NO_EXT_SEQ [IKE] CHILD_SA gw-ent1{29} established with SPIs e59b16ff_i 4a46d97b_o and TS 172.26.48.0/20 === 10.0.0.0/24 initiate completed successfully ``` - Log on server side expected ``` 11[NET] received packet: from your.client.wan.ip[2712] to you.actual.server.lanip[500] (274 bytes) 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] 11[IKE] your.client.wan.ip is initiating an IKE_SA 11[CFG] selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2 11[IKE] local host is behind NAT, sending keep alives 11[IKE] remote host is behind NAT 11[IKE] sending cert request for "C=Country, O=Company Name, CN=Unit Name" 11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] 11[NET] sending packet: from you.actual.server.lanip[500] to your.client.wan.ip[2712] (307 bytes) 09[NET] received packet: from your.client.wan.ip[3016] to you.actual.server.lanip[4500] (864 bytes) 09[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 09[IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name" 09[IKE] received cert request for "C=Country, O=Company Name, CN=Unit Name" 09[IKE] received end entity cert "C=Country, O=Company Name, CN=End Entity Name" 09[CFG] looking for peer configs matching you.actual.server.lanip[Alt name for server]...your.client.wan.ip[Alt name for end entity] 09[CFG] selected peer config 'gw-ent1' 09[CFG] using certificate "C=Country, O=Company Name, CN=End Entity Name" 09[CFG] using trusted ca certificate "C=Country, O=Company Name, CN=Unit Name" 09[CFG] checking certificate status of "C=Country, O=Company Name, CN=End Entity Name" 09[CFG] certificate status is not available 09[CFG] reached self-signed root ca with a path length of 0 09[IKE] authentication of 'Alt name for end entity' with SM2_WITH_SM3 successful 09[IKE] peer supports MOBIKE 09[IKE] authentication of 'Alt name for server' (myself) with SM2_WITH_SM3 successful 09[IKE] IKE_SA gw-ent1[5] established between you.actual.server.lanip[Alt name for server]...your.client.wan.ip[Alt name for end entity] 09[IKE] scheduling rekeying in 12989s 09[IKE] maximum IKE_SA lifetime 14429s 09[IKE] sending end entity cert "C=Country, O=Company Name, CN=Unit Name" 09[CFG] selected proposal: ESP:SM4_CBC_128/HMAC_SM3/NO_EXT_SEQ 09[IKE] CHILD_SA gw-ent1{11} established with SPIs 4a46d97b_i e59b16ff_o and TS 10.0.0.0/24 === 172.26.48.0/20 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ] 09[NET] sending packet: from you.actual.server.lanip[4500] to your.client.wan.ip[3016] (816 bytes) 14[IKE] sending keep alive to your.client.wan.ip[3016] 12[IKE] sending keep alive to your.client.wan.ip[3016] ``` - Now you may try ping `you.actual.server.lanip` from client side ```bash ping you.actual.server.lanip ``` - Or ping `your.client.lan.ip` from the server side ```bash ping you.actual.server.lanip ``` 6. If you want to access the lan behind the gateway, you shall add static route to your gateway's router, route `server-lan` to `client-ip` or/and route `client-lan` to `server,lanip`