diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-11-28 11:42:20 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-11-28 11:42:20 +0000 |
| commit | f73fba54dc8b30c6482e1e8abf15bbf455592fcd (patch) | |
| tree | a449515607c5e51a5c703d7a9b1149c9e4a11560 /testing/tests/ikev1 | |
| parent | b8064f4099997a9e2179f3ad4ace605f5ccac3a1 (diff) | |
| download | vyos-strongswan-f73fba54dc8b30c6482e1e8abf15bbf455592fcd.tar.gz vyos-strongswan-f73fba54dc8b30c6482e1e8abf15bbf455592fcd.zip | |
[svn-upgrade] new version strongswan (4.5.0)
Diffstat (limited to 'testing/tests/ikev1')
303 files changed, 2337 insertions, 111 deletions
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf index d55638907..528e3f1b3 100755 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf index 94517ecbe..991ae4368 100755 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf index 3517077f9..57394c27a 100755 --- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=blowfish256-sha2_512-modp4096! esp=blowfish256-sha2_512! diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf index 28dd532b3..4dbdc67b3 100644 --- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf index 1b4cca222..427c5d180 100755 --- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=blowfish256-sha2_512-modp4096! esp=blowfish256-sha2_512! diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf index 28dd532b3..4dbdc67b3 100644 --- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/alg-blowfish/test.conf +++ b/testing/tests/ikev1/alg-blowfish/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf index 2611115cd..2d6f87b17 100755 --- a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha256-modp2048! esp=aes128-sha256_96! diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf index 758c7a29a..b2a686db0 100755 --- a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha256-modp2048! esp=aes128-sha256_96! diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/alg-sha256-96/test.conf +++ b/testing/tests/ikev1/alg-sha256-96/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf index 0e1db6fbe..66476b83e 100755 --- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha256-modp2048! esp=aes128-sha256! diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf index 584ffda19..2b97ff4f3 100755 --- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha256-modp2048! esp=aes128-sha256! diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/alg-sha256/test.conf +++ b/testing/tests/ikev1/alg-sha256/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf index c60c6615c..42df1dccd 100755 --- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes192-sha384-modp3072! esp=aes192-sha384! diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf index 2d361b38a..a75d370aa 100755 --- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes192-sha384-modp3072! esp=aes192-sha384! diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/alg-sha384/test.conf +++ b/testing/tests/ikev1/alg-sha384/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf index 6bd3ac8c7..329de395c 100755 --- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes256-sha512-modp4096! esp=aes256-sha512! diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf index a28269155..8da459a8a 100755 --- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes256-sha512-modp4096! esp=aes256-sha512! diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/alg-sha512/test.conf +++ b/testing/tests/ikev1/alg-sha512/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf index cdd6929ff..a84b3a6b2 100755 --- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf index 285dc7234..ce3903596 100755 --- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_DAVE leftcert=daveCert.pem leftid=dave@strongswan.org diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf index a0250f597..11cf4d5d1 100755 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf index 53d719d9d..1a47aeb7d 100644 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } openac { diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf index 45118094b..f5050fef1 100755 --- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 compress=yes conn home diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf index a370ca458..aaf13f5fc 100755 --- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 compress=yes conn rw diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/compress/test.conf +++ b/testing/tests/ikev1/compress/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf index 98e7df65f..bb1879b1d 100755 --- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf index 25906e890..ec0bc2e88 100755 --- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf index 1bc6cf4fb..5a7668c64 100755 --- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf @@ -17,6 +17,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=2 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf index 4d916ab36..71358d6c6 100644 --- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf index fdfff13f0..1b80c0ddd 100755 --- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf @@ -17,6 +17,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=2 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf index 4d916ab36..71358d6c6 100644 --- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf index e0c758e74..77f6cfcb0 100755 --- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolRevokedCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf index d3603b7aa..1c011dccb 100755 --- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf index d240302b6..b4bc2101c 100755 --- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf index d3603b7aa..1c011dccb 100755 --- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf index 6c2de2e1e..3fbad9070 100755 --- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf index 8d07e42ba..0b9f891bd 100755 --- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf index 307d0b6b4..4d5bff62c 100755 --- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf index 737117cc9..e589a9425 100644 --- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } scepclient { diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf index ce7afbaf3..dd7ae0b20 100755 --- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn carol left=PH_IP_MOON diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf index 737117cc9..e589a9425 100644 --- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } scepclient { diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf index 5c0763734..caad279bb 100755 --- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn nat-t left=%defaultroute diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf index e79b2ca35..32d2ab0f6 100755 --- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf +++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn nat-t left=%defaultroute diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf index 3533c3f8b..7de7a951e 100755 --- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn nat-t left=%defaultroute diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf index a50275d98..34490a13a 100755 --- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 dpdaction=clear dpddelay=10 dpdtimeout=30 diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf index e6938e79a..3c0b0bf15 100755 --- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn moon left=%defaultroute diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf index ae9b35e97..9f1aded0f 100755 --- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 dpdaction=restart dpddelay=5 dpdtimeout=25 diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf index d8b885a88..acf503f8e 100755 --- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn moon left=%defaultroute diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf index d8b885a88..acf503f8e 100755 --- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn moon left=%defaultroute diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf index bf39d7527..ee28eebf3 100755 --- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=%defaultroute leftnexthop=%direct leftsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf index d8b885a88..acf503f8e 100755 --- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn moon left=%defaultroute diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf index d8b885a88..acf503f8e 100755 --- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn moon left=%defaultroute diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf index bf39d7527..ee28eebf3 100755 --- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=%defaultroute leftnexthop=%direct leftsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf index 1f964d0de..0f37e6188 100755 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn moon left=%defaultroute diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf index c098ffd90..ec35eac9a 100755 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn moon left=%defaultroute diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf index 45ec8094b..21848bc1c 100755 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=%defaultroute leftnexthop=%direct leftsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf index 6af3a88ac..299b6a831 100755 --- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 auth=ah ike=aes128-sha esp=aes128-sha1 diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf index e1bc08ee4..45ada023f 100755 --- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 auth=ah ike=aes128-sha esp=aes128-sha1 diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf index 8a9f033f1..168e5d2a8 100755 --- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 auth=ah ike=aes128-sha esp=aes128-sha1 diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf index fb0e59d86..b89d8e861 100755 --- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 auth=ah ike=aes128-sha esp=aes128-sha1 diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/esp-ah-tunnel/test.conf +++ b/testing/tests/ikev1/esp-ah-tunnel/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf index acb73b06f..9cd583b16 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf index acb73b06f..9cd583b16 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf index acb73b06f..9cd583b16 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf index acb73b06f..9cd583b16 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf index ed905d05f..75ce0fbbe 100755 --- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes256-sha2_256-modp2048! esp=aes256-aesxcbc! diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf index f1b7ff56d..c2e0a6dde 100755 --- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes256-sha2_256-modp2048! esp=aes256-aesxcbc! diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf +++ b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf index feeef7901..a5715a7f1 100755 --- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=3des-md5-modp1024! esp=des-md5! diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf index be4c9aced..0329a533d 100755 --- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=3des-md5-modp1024! esp=des-md5! diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/esp-alg-des/test.conf +++ b/testing/tests/ikev1/esp-alg-des/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf index 3c9fdbb71..fe76579ac 100755 --- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes-sha1 esp=null-sha1! diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf index 62f17df49..b768b8ee4 100755 --- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes-sha1! esp=null-sha1! diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf index fd33cfb57..6abbb89a9 100644 --- a/testing/tests/ikev1/esp-alg-null/test.conf +++ b/testing/tests/ikev1/esp-alg-null/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="moon carol winnetou" +UMLHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="m-c-w.png" +DIAGRAM="a-m-c-w.png" # UML instances on which tcpdump is to be started # diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf index 21997940b..46a619016 100755 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=3des-sha1 esp=3des-sha1 diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf index 14f58ccc3..86a15c96d 100755 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha1 esp=aes128-sha1! diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf index 7e2de30cd..052541b21 100755 --- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=3des-sha,aes128-sha1 esp=3des-sha1,aes128-sha1 diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf index 14f58ccc3..86a15c96d 100755 --- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha1 esp=aes128-sha1! diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf index feeef7901..a5715a7f1 100755 --- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=3des-md5-modp1024! esp=des-md5! diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf index 147d8ffaa..e5fed2f06 100755 --- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf index b984b8d14..95739fe51 100755 --- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn host-host right=PH_IP_MOON diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf index bb409adcc..a0d600a6f 100755 --- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn host-host right=PH_IP_SUN diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf index 49c84d894..b56189c6c 100755 --- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn host-host left=PH_IP_MOON diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf index e517b39cd..1f2ade20b 100755 --- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn host-host left=PH_IP_SUN diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf index 63ad1c01d..d75a7022e 100755 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=3des-sha1 esp=3des-sha1 diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf index 1ea5fe7a5..460ff749c 100755 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha1! esp=aes128-sha1 diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf index 9272bdc7f..36bdc0fa4 100755 --- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=3des-sha1,aes128-sha1 esp=3des-sha1,aes128-sha1 conn home diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf index 1ea5fe7a5..460ff749c 100755 --- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128-sha1! esp=aes128-sha1 diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf index 90eb30a9b..630135adc 100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink } libhydra { diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf index 90eb30a9b..630135adc 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink } libhydra { diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf index 90eb30a9b..630135adc 100644 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink } libhydra { diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf index ba5dbdd1d..4c40f76cc 100644 --- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf index f05916614..3d6addb62 100755 --- a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn alice also=home diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf index 44644f2af..0b93eb58f 100755 --- a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn alice also=home diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf index ce760a473..7f5bb812f 100755 --- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=192.168.0.1 leftsourceip=10.1.0.1 leftcert=moonCert.pem diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf index 21493adc3..fb989daff 100644 --- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink dns1 = PH_IP_WINNETOU dns2 = PH_IP6_VENUS } diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf index 594f2c59b..64c97eb16 100755 --- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default rekeymargin=3m rekey=no keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf index 469145fb8..ba47559a0 100755 --- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_DAVE diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf index 79be57226..8b125ab80 100755 --- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 modeconfig=push left=PH_IP_MOON leftsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf index 797025c4d..f8d952d21 100644 --- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf index b019c5a33..4cea3d81b 100755 --- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home right=PH_IP_CAROL diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf index 5b38a2041..cf96ddeca 100755 --- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home right=PH_IP_DAVE diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf index 911531edb..b01f5b112 100755 --- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightsourceip=PH_IP_MOON1 diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf index 57ec7040e..9c75434c2 100755 --- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf index 3179faa05..726998e19 100755 --- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_DAVE diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf index c93224ae5..56f13324a 100644 --- a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf index ce26fc5e9..37278081e 100755 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 rekey=no left=PH_IP_MOON leftsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf index 797025c4d..f8d952d21 100644 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf index cfdc692d7..d9e5b119e 100755 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem right=PH_IP_MOON diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf index 4d916ab36..71358d6c6 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf index fecce5efa..bf83264af 100755 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_DAVE leftcert=daveCert.pem right=PH_IP_MOON diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf index 4d916ab36..71358d6c6 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf index 994792f7d..50b896541 100755 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf @@ -26,6 +26,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf index 4d916ab36..71358d6c6 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf index 04a512eb7..4d42b1419 100755 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem right=PH_IP_MOON diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf index a9e648f5e..f91ca63a8 100755 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf index 1da39e483..39a1aa825 100755 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf index 8e41bb124..ca5919d5c 100755 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn duck left=PH_IP_MOON diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf index d240302b6..b4bc2101c 100755 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf index fdca83e18..0b9917b53 100755 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf index d4ce57333..cf93bb231 100755 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem right=PH_IP_MOON diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf index ea445522e..5f04445d2 100755 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_DAVE leftcert=daveCert.pem right=PH_IP_MOON diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf index cf952be47..f79c501a8 100755 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf index 0adb2593d..d11724c28 100755 --- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftsendcert=ifasked diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf index 0e8e413e6..2d80aad8a 100755 --- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_DAVE leftcert=daveCert.pem leftsendcert=ifasked diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf index 1e00096c8..9b97015fd 100755 --- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftsendcert=ifasked diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf index 82576bb2b..1ee1b7749 100755 --- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn host-net left=192.168.0.1 diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf index 506417867..57496e10e 100755 --- a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn host-net left=192.168.0.2 diff --git a/testing/tests/ikev1/nat-two-rw-mark/description.txt b/testing/tests/ikev1/nat-two-rw-mark/description.txt new file mode 100644 index 000000000..2a93d11d8 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/description.txt @@ -0,0 +1,16 @@ +The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up +tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. +Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT +after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively. +<p/> +In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, +<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using +the <b>mark</b> parameter in ipsec.conf. +<p/> +<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to +and from <b>alice</b> and <b>venus</b>, respectively. +<p/> +The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts +iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules +that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> +and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat new file mode 100644 index 000000000..fa64c3d88 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat @@ -0,0 +1,18 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::alice.*alice@strongswan.org::YES +sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::venus.*venus.strongswan.org::YES +sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES +sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES +bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..4ed556226 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn nat-t + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..2b346430e --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control parsing" #parsing to get knl 2 messages + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn alice + rightid=alice@strongswan.org + mark=10/0xffffffff + also=sun + auto=add + +conn venus + rightid=@venus.strongswan.org + mark=20 #0xffffffff is used by default + also=sun + auto=add + +conn sun + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/mark_updown + right=%any + rightsubnet=10.1.0.0/25 diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..0d22e684d --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown @@ -0,0 +1,527 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK="-p esp" + fi + SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..0be3477c1 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn nat-t + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat new file mode 100644 index 000000000..89d5f534b --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat @@ -0,0 +1,11 @@ +sun::iptables -t mangle -v -n -L PREROUTING +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +moon::conntrack -F +sun::conntrack -F +sun::rm /etc/mark_updown diff --git a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat new file mode 100644 index 000000000..310e5be71 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat @@ -0,0 +1,21 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 2 +alice::ipsec up nat-t +venus::sleep 2 +venus::ipsec up nat-t +venus::sleep 2 diff --git a/testing/tests/ikev1/nat-two-rw-mark/test.conf b/testing/tests/ikev1/nat-two-rw-mark/test.conf new file mode 100644 index 000000000..ae3c190b8 --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-mark/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf index e8576f0e7..eee3c45e8 100755 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn nat-t diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf index ebd735a11..a7c500fe2 100755 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn nat-t diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf index e8576f0e7..eee3c45e8 100755 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn nat-t diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf index 83d2b268a..a38c66023 100755 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_MOON diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf index 30c802be8..71896491e 100644 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf index d5b7c39fa..6a373e29f 100755 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_SUN diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf index 30c802be8..71896491e 100644 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf index bbd1f3a06..094ab3bed 100755 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_MOON diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf index 30c802be8..71896491e 100644 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf index abe91e6ee..428b10ce6 100755 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_SUN diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf index 30c802be8..71896491e 100644 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf index 7302a423b..ad0359f01 100755 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn net-net diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf index 7633f5c8b..9bbff9039 100755 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn net-net diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf index 5eedd9f28..c63ec2f30 100755 --- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn net-net diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf index 24bd66f53..e21ee9910 100755 --- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn net-net diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf index eabb76bf7..bc72fab0f 100755 --- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_MOON diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf index 18b18f3ea..837c1ab56 100755 --- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_MOON diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf index 4bf0f97aa..c50c4c594 100644 --- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf index 3f2bc48c0..efd9c798a 100755 --- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_SUN diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf index 4bf0f97aa..c50c4c594 100644 --- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/net2net-same-nets/description.txt b/testing/tests/ikev1/net2net-same-nets/description.txt new file mode 100644 index 000000000..d0eb3374f --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/description.txt @@ -0,0 +1,15 @@ +A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b> +and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b> +sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b> +sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are +done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets. +<p/> +Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic whereas on gateway <b>sun</b> the script indicated by +<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the +connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create +the necessary NETMAP operations and forward the tunneled traffic. +<p/> +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa. diff --git a/testing/tests/ikev1/net2net-same-nets/evaltest.dat b/testing/tests/ikev1/net2net-same-nets/evaltest.dat new file mode 100644 index 000000000..b5ad0628e --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::net-net.*IPsec SA established::YES +sun::ipsec statusall::net-net.*IPsec SA established::YES +alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES +bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..30af017ff --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.0.0.0/14 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.4.0.0/14 + auto=add diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..5e924cf25 --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.4.0.0/14 + leftupdown=/etc/mark_updown + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.0.0.0/14 + mark_in=8 + mark_out=4 + auto=add diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..0bfdcad85 --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown @@ -0,0 +1,376 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} +# define NETMAP +SAME_NET=$PLUTO_PEER_CLIENT +IN_NET=$PLUTO_MY_CLIENT +OUT_NET="10.8.0.0/14" + +# define internal interface +INT_INTERFACE="eth1" + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK_IN="-p esp" + fi + SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# is there an outbound mark to be set? +if [ -n "$PLUTO_MARK_OUT" ] +then + SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK_IN + iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -d $IN_NET -j NETMAP --to $SAME_NET + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT + iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -s $SAME_NET -j NETMAP --to $OUT_NET + fi + if [ -n "$PLUTO_MARK_OUT" ] + then + iptables -t mangle -A PREROUTING $SET_MARK_OUT + iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -d $OUT_NET -j NETMAP --to $SAME_NET + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -s $SAME_NET -j NETMAP --to $IN_NET + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK_IN + iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -d $IN_NET -j NETMAP --to $SAME_NET + iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT + iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \ + -s $SAME_NET -j NETMAP --to $OUT_NET + fi + if [ -n "$PLUTO_MARK_OUT" ] + then + iptables -t mangle -D PREROUTING $SET_MARK_OUT + iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev1/net2net-same-nets/posttest.dat b/testing/tests/ikev1/net2net-same-nets/posttest.dat new file mode 100644 index 000000000..e75e66650 --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/posttest.dat @@ -0,0 +1,7 @@ +sun::iptables -t mangle -n -v -L PREROUTING +sun::iptables -t nat -n -v -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +sun::conntrack -F diff --git a/testing/tests/ikev1/net2net-same-nets/pretest.dat b/testing/tests/ikev1/net2net-same-nets/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-same-nets/test.conf b/testing/tests/ikev1/net2net-same-nets/test.conf new file mode 100644 index 000000000..1971a33ab --- /dev/null +++ b/testing/tests/ikev1/net2net-same-nets/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf index e2e43cecd..acb12e7f3 100755 --- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_MOON diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf index 9a1f0934b..a62964829 100755 --- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolRevokedCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf index 9b0c9b534..cd2ab0aca 100755 --- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf index 5624f4fcf..c79b1c3e2 100755 --- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf index 9b0c9b534..cd2ab0aca 100755 --- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf index 557fb62eb..25eec2a3e 100755 --- a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftsubnet=10.1.0.0/16 right=PH_IP_SUN diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf index 9276f1f90..7541aa894 100755 --- a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net left=PH_IP_SUN diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf index 3adfdc0b8..48df689af 100755 --- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf index e1ce14973..c4bfebda1 100755 --- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf index 913e6d91a..aae781b69 100755 --- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home-icmp left=PH_IP_CAROL diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf index d941e81ef..7b80a299e 100755 --- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw-icmp left=PH_IP_MOON diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf index dfc0143ed..2bb557410 100755 --- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf index e1ce14973..c4bfebda1 100755 --- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf index 6db69096b..7c2bb3a98 100755 --- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf index 737117cc9..e589a9425 100644 --- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } scepclient { diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf index 737117cc9..e589a9425 100644 --- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } scepclient { diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf index 72ff765c3..7403971e9 100644 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 72ff765c3..7403971e9 100644 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-mark-in-out/description.txt b/testing/tests/ikev1/rw-mark-in-out/description.txt new file mode 100644 index 000000000..4c35081b1 --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/description.txt @@ -0,0 +1,16 @@ +The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up +tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet, +gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 +and 10.3.0.20, respectively. +<p/> +In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, +<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using +the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf. +<p/> +<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to +and from <b>alice</b> and <b>venus</b>, respectively. +<p/> +The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts +iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules +that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b> +and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat new file mode 100644 index 000000000..168b3dfb9 --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat @@ -0,0 +1,18 @@ +alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::alice.*alice@strongswan.org::YES +sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::venus.*venus.strongswan.org::YES +sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES +sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES +bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..5594bbf52 --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables @@ -0,0 +1,77 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow ESP + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MOBIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..4256006c0 --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..83fe9eed2 --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn alice + rightid=alice@strongswan.org + mark_in=10/0xffffffff + mark_out=11/0xffffffff + also=sun + auto=add + +conn venus + rightid=@venus.strongswan.org + mark_in=20 #0xffffffff is used by default + mark_out=21 #0xffffffff is used by default + also=sun + auto=add + +conn sun + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/mark_updown + right=%any + rightsubnet=10.1.0.0/25 diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..0d22e684d --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown @@ -0,0 +1,527 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK="-p esp" + fi + SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..5594bbf52 --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables @@ -0,0 +1,77 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow ESP + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MOBIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..e7561ebbe --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-mark-in-out/posttest.dat b/testing/tests/ikev1/rw-mark-in-out/posttest.dat new file mode 100644 index 000000000..fae79271b --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/posttest.dat @@ -0,0 +1,12 @@ +sun::iptables -t mangle -v -n -L PREROUTING +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +sun::ip route del 10.1.0.0/16 via PH_IP_MOON +sun::conntrack -F +sun::rm /etc/mark_updown +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev1/rw-mark-in-out/pretest.dat b/testing/tests/ikev1/rw-mark-in-out/pretest.dat new file mode 100644 index 000000000..427e5c67f --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/pretest.dat @@ -0,0 +1,18 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +sun::ip route add 10.1.0.0/16 via PH_IP_MOON +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 2 +alice::ipsec up home +venus::sleep 2 +venus::ipsec up home +venus::sleep 2 diff --git a/testing/tests/ikev1/rw-mark-in-out/test.conf b/testing/tests/ikev1/rw-mark-in-out/test.conf new file mode 100644 index 000000000..ae3c190b8 --- /dev/null +++ b/testing/tests/ikev1/rw-mark-in-out/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf index f0e4036c0..ffa211299 100755 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn home diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf index 864d014de..5f7cdedd2 100755 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn rw-carol diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf index f0e4036c0..ffa211299 100755 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn home diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf index f3a6db107..efec3b33d 100755 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn rw diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf index d76337996..0d2a5d2c4 100755 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn home diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf index 025f335b2..41582eaef 100755 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=secret conn rw diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf index 980523a5e..c040fe88f 100755 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home authby=secret diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf index d57d790d1..f0dbeb323 100755 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf index 85e5f1aee..453cdc07c 100644 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf index 08a41e612..f2a15af0a 100755 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 ike=aes128,serpent128,twofish128,3des conn home diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf index b8900c082..02270e004 100755 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf @@ -9,6 +9,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf index dbfac50e2..dbd3adb4c 100755 --- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf @@ -8,6 +8,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw-psk authby=secret diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf index db281ef80..f6859b8a4 100755 --- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf index 737117cc9..e589a9425 100644 --- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } scepclient { diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf index f3c2be9a1..f14352bf8 100755 --- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn carol left=PH_IP_MOON diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf index 737117cc9..e589a9425 100644 --- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink } scepclient { diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf index cd751df3d..af2fcc5dc 100755 --- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net also=host-host diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf index e78231f0c..2bd4985ca 100755 --- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn net-net also=host-host diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf index 57ec7040e..9c75434c2 100755 --- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf index 3179faa05..726998e19 100755 --- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_DAVE diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections index 7cd938628..bd47f9e09 100644 --- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections +++ b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections @@ -5,6 +5,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 include /etc/ipsec.host diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf index a2af4e9f8..2a1dad5c6 100755 --- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf index e48b1a78c..e10e9d45c 100755 --- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_DAVE diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf index b9710cb14..67e97ebc2 100755 --- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf index b4ad3c011..4dfa345f4 100755 --- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home right=PH_IP_CAROL diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf index eafcf5e55..b65d7a690 100755 --- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw right=PH_IP_MOON diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf index 71aa4decf..e0ef16930 100755 --- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf index 471e9e833..63a8c92b5 100755 --- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf index d4ce57333..cf93bb231 100755 --- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem right=PH_IP_MOON diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf index ea445522e..5f04445d2 100755 --- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_DAVE leftcert=daveCert.pem right=PH_IP_MOON diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf index 8952bc92f..39b031551 100755 --- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf index 30b657662..e3cf9b15d 100755 --- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn system left=PH_IP_ALICE diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf index ab3287aee..61ce28e6b 100755 --- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn alice right=PH_IP_ALICE diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf index bb9897c79..fa2dc953e 100755 --- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf @@ -12,6 +12,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 conn system left=PH_IP_VENUS diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf index aa0ae1289..b7402d24b 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk conn home diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf index dbd431cc2..e3f377d18 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf index 0243f5afb..8f9226dd1 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk conn home diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf index dbd431cc2..e3f377d18 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf index 4206f8916..452187f11 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk xauth=server diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf index dbd431cc2..089467da4 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf @@ -1,7 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink + dns1 = 192.168.0.150 + dns2 = 10.1.0.20 } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat index 42fa8359b..f90d222b5 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop carol::ipsec stop dave::ipsec stop +moon::ipsec stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf index 48015ad4c..da1a10513 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk conn home diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf index dbd431cc2..c9eb0bc97 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf index baa85e32c..3a4b75af6 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk conn home diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf index dbd431cc2..c9eb0bc97 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf index c92ad8748..850ea561b 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk xauth=server diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf index dbd431cc2..c9eb0bc97 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf index 32b1227bb..be62c2b8f 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf index 090deac77..c09fb3c2c 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf index f79a81a6f..251041443 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig xauth=server diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf index 684ace0d3..1c7d7002e 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk conn home diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf index dbd431cc2..c9eb0bc97 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf index 14307a7f0..782c160c9 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk conn home diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf index dbd431cc2..c9eb0bc97 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf index a4e01b564..595e6588c 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthpsk xauth=server diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf index dbd431cc2..c9eb0bc97 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth + load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf index 47bf1dafc..186d8e121 100755 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf index f79a81a6f..251041443 100755 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig xauth=server diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf index 47928181f..ca2df4b28 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf index 8c8cb4a2d..079c6b0d5 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf index 1c48e13e7..0a65acb5d 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig xauth=server left=PH_IP_MOON diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat index 42fa8359b..f90d222b5 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat @@ -1,6 +1,6 @@ -moon::ipsec stop carol::ipsec stop dave::ipsec stop +moon::ipsec stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf index 1e21fbb97..fc86bab41 100755 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf index 94cc6819d..e2709cdf1 100755 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig xauth=server diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf index 47bf1dafc..186d8e121 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf index 1fcf71d5c..478e732ae 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig conn home diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf index f79a81a6f..251041443 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev1 authby=xauthrsasig xauth=server diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf index 556f76c74..de1cbb134 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink } # pluto uses optimized DH exponent sizes (RFC 3526) |