diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
| commit | c1343b3278cdf99533b7902744d15969f9d6fdc1 (patch) | |
| tree | d5ed3dc5677a59260ec41cd39bb284d3e94c91b3 /testing/tests/ikev1/alg-sha256 | |
| parent | b34738ed08c2227300d554b139e2495ca5da97d6 (diff) | |
| download | vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.tar.gz vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.zip | |
Imported Upstream version 5.0.1
Diffstat (limited to 'testing/tests/ikev1/alg-sha256')
| -rw-r--r-- | testing/tests/ikev1/alg-sha256/description.txt | 8 | ||||
| -rw-r--r-- | testing/tests/ikev1/alg-sha256/evaltest.dat | 19 | ||||
| -rw-r--r--[-rwxr-xr-x] | testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf | 9 | ||||
| -rw-r--r-- | testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf | 5 | ||||
| -rw-r--r--[-rwxr-xr-x] | testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf | 8 | ||||
| -rw-r--r-- | testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf | 5 | ||||
| -rw-r--r-- | testing/tests/ikev1/alg-sha256/posttest.dat | 2 | ||||
| -rw-r--r-- | testing/tests/ikev1/alg-sha256/pretest.dat | 7 | ||||
| -rw-r--r-- | testing/tests/ikev1/alg-sha256/test.conf | 1 |
9 files changed, 35 insertions, 29 deletions
diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt index 628101921..826a8f10b 100644 --- a/testing/tests/ikev1/alg-sha256/description.txt +++ b/testing/tests/ikev1/alg-sha256/description.txt @@ -1,4 +1,4 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite -<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and -<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b> +in ipsec.conf. The same cipher suite is used for IKE. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat index 00fcb8862..7b5640af8 100644 --- a/testing/tests/ikev1/alg-sha256/evaltest.dat +++ b/testing/tests/ikev1/alg-sha256/evaltest.dat @@ -1,12 +1,13 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES -moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES -moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES +moon:: ip xfrm state::auth hmac(sha256)::YES carol::ip xfrm state::auth hmac(sha256)::YES -moon::ip xfrm state::auth hmac(sha256)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES - diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf index 66476b83e..73e25710b 100755..100644 --- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,14 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes128-sha256-modp2048! - esp=aes128-sha256! + esp=aes128-sha256-modp2048! conn home left=PH_IP_CAROL + leftfirewall=yes leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - auto=add + auto=add diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf index 2b97ff4f3..0a6f48e69 100755..100644 --- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,13 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes128-sha256-modp2048! - esp=aes128-sha256! + esp=aes128-sha256-modp2048! conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 right=%any - rightid=carol@strongswan.org auto=add diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev1/alg-sha256/posttest.dat index c6d6235f9..94a400606 100644 --- a/testing/tests/ikev1/alg-sha256/posttest.dat +++ b/testing/tests/ikev1/alg-sha256/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat index 7d077c126..f360351e1 100644 --- a/testing/tests/ikev1/alg-sha256/pretest.dat +++ b/testing/tests/ikev1/alg-sha256/pretest.dat @@ -1,5 +1,6 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null moon::ipsec start -carol::sleep 2 +carol::ipsec start +carol::sleep 1 carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf index 6abbb89a9..9cd583b16 100644 --- a/testing/tests/ikev1/alg-sha256/test.conf +++ b/testing/tests/ikev1/alg-sha256/test.conf @@ -19,4 +19,3 @@ TCPDUMPHOSTS="moon" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - |