summaryrefslogtreecommitdiff
path: root/testing/tests/ikev1/wlan
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2007-04-12 20:41:31 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2007-04-12 20:41:31 +0000
commit774a362e87feab25f1be16fbca08269ddc7121a4 (patch)
treecf71f4e7466468ac3edc2127125f333224a9acfb /testing/tests/ikev1/wlan
parentc54a140a445bfe7aa66721f68bb0781f26add91c (diff)
downloadvyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.tar.gz
vyos-strongswan-774a362e87feab25f1be16fbca08269ddc7121a4.zip
Major new upstream release, just ran svn-upgrade for now (and wrote some
debian/changelong entries).
Diffstat (limited to 'testing/tests/ikev1/wlan')
-rw-r--r--testing/tests/ikev1/wlan/description.txt15
-rw-r--r--testing/tests/ikev1/wlan/evaltest.dat11
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables73
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf36
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables82
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf36
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables73
-rwxr-xr-xtesting/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf36
-rw-r--r--testing/tests/ikev1/wlan/posttest.dat8
-rw-r--r--testing/tests/ikev1/wlan/pretest.dat11
-rw-r--r--testing/tests/ikev1/wlan/test.conf21
11 files changed, 402 insertions, 0 deletions
diff --git a/testing/tests/ikev1/wlan/description.txt b/testing/tests/ikev1/wlan/description.txt
new file mode 100644
index 000000000..e018148bd
--- /dev/null
+++ b/testing/tests/ikev1/wlan/description.txt
@@ -0,0 +1,15 @@
+The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic
+by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is
+<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network
+is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from
+<b>alice</b> to <b>venus</b> tunneled via <b>moon</b> and to both the internal
+and external interface of gateway <b>moon</b>. Access to the gateway is
+set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>.
+At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router.
+<p>
+The host system controls the UML instances <b>alice</b> and <b>carol</b> via
+ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up
+the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel
+to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted
+to the ssh port is statically set up by <b>conn system</b>.
+
diff --git a/testing/tests/ikev1/wlan/evaltest.dat b/testing/tests/ikev1/wlan/evaltest.dat
new file mode 100644
index 000000000..079ac4429
--- /dev/null
+++ b/testing/tests/ikev1/wlan/evaltest.dat
@@ -0,0 +1,11 @@
+alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
+venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES
+moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES
+moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES
+alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES
+moon::tcpdump::ESP::YES
+sun::tcpdump::ICMP::YES
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
new file mode 100755
index 000000000..86a76e2db
--- /dev/null
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
new file mode 100755
index 000000000..665ce592f
--- /dev/null
+++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ nat_traversal=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn system
+ left=PH_IP_ALICE
+ leftprotoport=tcp/ssh
+ leftnexthop=%direct
+ authby=never
+ type=passthrough
+ right=10.1.0.254
+ rightprotoport=tcp
+ auto=route
+
+conn wlan
+ left=PH_IP_ALICE
+ leftnexthop=%direct
+ leftcert=aliceCert.pem
+ leftid=alice@strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON1
+ rightid=@moon.strongswan.org
+ rightsubnet=0.0.0.0/0
+ auto=add
+
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
new file mode 100755
index 000000000..e95ef44c6
--- /dev/null
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables
@@ -0,0 +1,82 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # enable IP forwarding
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth1 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ # enable SNAT
+ iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON
+ iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..44f980422
--- /dev/null
+++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ nat_traversal=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn alice
+ right=PH_IP_ALICE
+ rightid=alice@strongswan.org
+ also=wlan
+ auto=add
+
+conn venus
+ right=PH_IP_VENUS
+ rightid=@venus.strongswan.org
+ also=wlan
+ auto=add
+
+conn wlan
+ left=PH_IP_MOON1
+ leftnexthop=%direct
+ leftsubnet=0.0.0.0/0
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftfirewall=yes
+ lefthostaccess=yes
+
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
new file mode 100755
index 000000000..6f95e7576
--- /dev/null
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables
@@ -0,0 +1,73 @@
+#!/sbin/runscript
+# Copyright 1999-2004 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+opts="start stop reload"
+
+depend() {
+ before net
+ need logger
+}
+
+start() {
+ ebegin "Starting firewall"
+
+ # default policy is DROP
+ /sbin/iptables -P INPUT DROP
+ /sbin/iptables -P OUTPUT DROP
+ /sbin/iptables -P FORWARD DROP
+
+ # allow esp
+ iptables -A INPUT -i eth0 -p 50 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+ # allow IKE
+ iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+ # allow crl fetch from winnetou
+ iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+ iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+ # allow ssh
+ iptables -A INPUT -p tcp --dport 22 -j ACCEPT
+ iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+ eend $?
+}
+
+stop() {
+ ebegin "Stopping firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+
+ if [ $a == nat ]; then
+ /sbin/iptables -t nat -P PREROUTING ACCEPT
+ /sbin/iptables -t nat -P POSTROUTING ACCEPT
+ /sbin/iptables -t nat -P OUTPUT ACCEPT
+ elif [ $a == mangle ]; then
+ /sbin/iptables -t mangle -P PREROUTING ACCEPT
+ /sbin/iptables -t mangle -P INPUT ACCEPT
+ /sbin/iptables -t mangle -P FORWARD ACCEPT
+ /sbin/iptables -t mangle -P OUTPUT ACCEPT
+ /sbin/iptables -t mangle -P POSTROUTING ACCEPT
+ elif [ $a == filter ]; then
+ /sbin/iptables -t filter -P INPUT ACCEPT
+ /sbin/iptables -t filter -P FORWARD ACCEPT
+ /sbin/iptables -t filter -P OUTPUT ACCEPT
+ fi
+ done
+ eend $?
+}
+
+reload() {
+ ebegin "Flushing firewall"
+ for a in `cat /proc/net/ip_tables_names`; do
+ /sbin/iptables -F -t $a
+ /sbin/iptables -X -t $a
+ done;
+ eend $?
+ start
+}
+
diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
new file mode 100755
index 000000000..5d861548d
--- /dev/null
+++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,36 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ plutodebug=control
+ crlcheckinterval=180
+ strictcrlpolicy=no
+ nat_traversal=no
+ charonstart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+
+conn system
+ left=PH_IP_VENUS
+ leftprotoport=tcp/ssh
+ leftnexthop=%direct
+ authby=never
+ type=passthrough
+ right=10.1.0.254
+ rightprotoport=tcp
+ auto=route
+
+conn wlan
+ left=PH_IP_VENUS
+ leftnexthop=%direct
+ leftcert=venusCert.pem
+ leftid=@venus.strongswan.org
+ leftfirewall=yes
+ right=PH_IP_MOON1
+ rightid=@moon.strongswan.org
+ rightsubnet=0.0.0.0/0
+ auto=add
+
diff --git a/testing/tests/ikev1/wlan/posttest.dat b/testing/tests/ikev1/wlan/posttest.dat
new file mode 100644
index 000000000..6bd2379d8
--- /dev/null
+++ b/testing/tests/ikev1/wlan/posttest.dat
@@ -0,0 +1,8 @@
+moon::iptables -t nat -v -n -L POSTROUTING
+moon::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+alice::/etc/init.d/iptables stop 2> /dev/null
+venus::/etc/init.d/iptables stop 2> /dev/null
+moon::/etc/init.d/iptables stop 2> /dev/null
+moon::conntrack -F
diff --git a/testing/tests/ikev1/wlan/pretest.dat b/testing/tests/ikev1/wlan/pretest.dat
new file mode 100644
index 000000000..de4a6ad31
--- /dev/null
+++ b/testing/tests/ikev1/wlan/pretest.dat
@@ -0,0 +1,11 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+alice::/etc/init.d/iptables start 2> /dev/null
+venus::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+alice::ipsec start
+venus::ipsec start
+alice::sleep 2
+alice::ipsec up wlan
+venus::sleep 2
+venus::ipsec up wlan
+venus::sleep 2
diff --git a/testing/tests/ikev1/wlan/test.conf b/testing/tests/ikev1/wlan/test.conf
new file mode 100644
index 000000000..b141c4f1b
--- /dev/null
+++ b/testing/tests/ikev1/wlan/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon winnetou sun"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon:eth1 sun"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus moon"