Imported Upstream version 5.3.3

author: Yves-Alexis Perez <corsac@debian.org> 2015-10-22 11:43:58 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2015-10-22 11:43:58 +0200
commit: 5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 (patch)
tree: 037f1ec5bb860846938ddcf29771c24e9c529be0 /testing/tests/ikev2/trap-any
parent: b238cf34df3fe4476ae6b7012e7cb3e9769d4d51 (diff)
download: vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.tar.gz
vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.zip
17 files changed, 181 insertions, 0 deletions
diff --git a/testing/tests/ikev2/trap-any/description.txt b/testing/tests/ikev2/trap-any/description.txt
new file mode 100644
index 000000000..81e148259
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/description.txt
@@ -0,0 +1,7 @@
+The hosts <b>moon</b>, <b>sun</b> and <b>dave</b> install <b>transport-mode</b> trap
+policies with <b>right=%any</b>.  The remote host is dynamically determined based on
+the acquires received from the kernel.  Host <b>dave</b> additionally limits the remote
+hosts to <b>moon</b> and <b>sun</b> with <b>rightsubnet</b>.  This is tested by
+pinging <b>sun</b> and <b>carol</b> from <b>moon</b>, <b>carol</b> from <b>sun</b>, and
+<b>sun</b> and <b>moon</b> from <b>dave</b>. The latter also pings <b>carol</b>, which
+is not going to be encrypted as <b>carol</b> is not part of the configured <b>rightsubnet</b>.
diff --git a/testing/tests/ikev2/trap-any/evaltest.dat b/testing/tests/ikev2/trap-any/evaltest.dat
new file mode 100644
index 000000000..bcba9ef08
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/evaltest.dat
@@ -0,0 +1,33 @@
+moon::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+moon::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+sun::ping -c 2 -W 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=2::YES
+dave::ping -c 2 -W 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=2::YES
+dave::ping -c 2 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=2::YES
+dave::ping -c 1 PH_IP_CAROL::64 bytes from PH_IP_CAROL: icmp_req=1::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_SUN::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_CAROL::YES
+moon::ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_MOON.*PH_IP_DAVE::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_DAVE::YES
+sun:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_SUN.*PH_IP_CAROL::YES
+dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_MOON::YES
+dave:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_DAVE.*PH_IP_SUN::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_MOON::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_SUN::YES
+carol:: ipsec status 2> /dev/null::trap-any.*ESTABLISHED.*PH_IP_CAROL.*PH_IP_DAVE::NO
+moon::ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+sun:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+dave:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+carol:: ipsec status 2> /dev/null::trap-any.*INSTALLED, TRANSPORT::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
+sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+sun::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES
+carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
+carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
+carol::tcpdump::IP dave.strongswan.org > carol.strongswan.org: ICMP echo request::YES
+carol::tcpdump::IP carol.strongswan.org > dave.strongswan.org: ICMP echo reply::YES
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..a2d62296f
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,16 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn trap-any
+	right=%any
+	type=transport
+	authby=psk
+	auto=add
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..3c7adfbf9
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,18 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn trap-any
+	right=%any
+	rightsubnet=192.168.0.0/30
+	type=transport
+	authby=psk
+	auto=route
+
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..409bee2cb
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+# to access the host via SSH in the test environment
+conn pass-ssh
+	authby=never
+	leftsubnet=0.0.0.0/0[tcp/22]
+	rightsubnet=0.0.0.0/0[tcp]
+	type=pass
+	auto=route
+
+conn trap-any
+	right=%any
+	type=transport
+	authby=psk
+	auto=route
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..71edc4c14
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="knl 2"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+# to access the host via SSH in the test environment
+conn pass-ssh
+	authby=never
+	leftsubnet=0.0.0.0/0[tcp/22]
+	rightsubnet=0.0.0.0/0[tcp]
+	type=pass
+	auto=route
+
+conn trap-any
+	right=%any
+	type=transport
+	authby=psk
+	auto=route
+
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..34647bc0b
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1 @@
+: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
+\ No newline at end of file
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..8e685c862
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/trap-any/posttest.dat b/testing/tests/ikev2/trap-any/posttest.dat
new file mode 100644
index 000000000..1bf206e26
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
diff --git a/testing/tests/ikev2/trap-any/pretest.dat b/testing/tests/ikev2/trap-any/pretest.dat
new file mode 100644
index 000000000..0924078b3
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/pretest.dat
@@ -0,0 +1,5 @@
+moon::ipsec start
+sun::ipsec start
+carol::ipsec start
+dave::ipsec start
+moon::sleep 1
diff --git a/testing/tests/ikev2/trap-any/test.conf b/testing/tests/ikev2/trap-any/test.conf
new file mode 100644
index 000000000..742bf02bd
--- /dev/null
+++ b/testing/tests/ikev2/trap-any/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon winnetou sun carol dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d-s.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun carol"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun carol dave"
author	Yves-Alexis Perez <corsac@debian.org>	2015-10-22 11:43:58 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2015-10-22 11:43:58 +0200
commit	5dca9ea0e2931f0e2a056c7964d311bcc30a01b8 (patch)
tree	037f1ec5bb860846938ddcf29771c24e9c529be0 /testing/tests/ikev2/trap-any
parent	b238cf34df3fe4476ae6b7012e7cb3e9769d4d51 (diff)
download	vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.tar.gz vyos-strongswan-5dca9ea0e2931f0e2a056c7964d311bcc30a01b8.zip