diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2015-11-18 14:49:27 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2015-11-18 14:49:27 +0100 |
| commit | 1e980d6be0ef0e243c6fe82b5e855454b97e24a4 (patch) | |
| tree | 0d59eec2ce2ed332434ae80fc78a44db9ad293c5 /testing/tests/ikev2/dynamic-initiator | |
| parent | 5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 (diff) | |
| download | vyos-strongswan-1e980d6be0ef0e243c6fe82b5e855454b97e24a4.tar.gz vyos-strongswan-1e980d6be0ef0e243c6fe82b5e855454b97e24a4.zip | |
Imported Upstream version 5.3.4
Diffstat (limited to 'testing/tests/ikev2/dynamic-initiator')
| -rw-r--r-- | testing/tests/ikev2/dynamic-initiator/description.txt | 6 | ||||
| -rw-r--r-- | testing/tests/ikev2/dynamic-initiator/posttest.dat | 1 | ||||
| -rw-r--r-- | testing/tests/ikev2/dynamic-initiator/pretest.dat | 5 |
3 files changed, 5 insertions, 7 deletions
diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt index e74ee1569..3e441b2fe 100644 --- a/testing/tests/ikev2/dynamic-initiator/description.txt +++ b/testing/tests/ikev2/dynamic-initiator/description.txt @@ -1,12 +1,12 @@ The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end -is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the +is defined symbolically by <b>right=<hostname></b>. The IKE daemon resolves the fully-qualified hostname into the current IP address via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary +<b>%</b> prefix in the <b>right</b> option will allow an IKE_SA rekeying to arrive from an arbitrary IP address under the condition that the peer identity remains unchanged. When this happens the old tunnel is replaced by an IPsec connection to the new origin. <p> In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b> suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the old tunnel first (simulated by iptables blocking IKE packets to and from -<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). +<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat index 83063a23f..715bb9482 100644 --- a/testing/tests/ikev2/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat @@ -1,6 +1,5 @@ dave::ipsec stop carol::ipsec stop -dave::sleep 1 moon::ipsec stop moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat index 3e1cfce77..f354efe51 100644 --- a/testing/tests/ikev2/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat @@ -4,10 +4,9 @@ dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::expect-connection moon carol::ipsec up moon -carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::expect-connection moon dave::ipsec up moon -dave::sleep 2 |