diff options
author | Yves-Alexis Perez <corsac@corsac.net> | 2017-11-21 10:22:31 +0100 |
---|---|---|
committer | Yves-Alexis Perez <corsac@corsac.net> | 2017-11-21 10:22:31 +0100 |
commit | e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e (patch) | |
tree | ae0c8b5f4cd8289d0797882ea18969f33ea59a1e /testing/tests/libipsec/rw-suite-b | |
parent | 11d6b62db969bdd808d0f56706cb18f113927a31 (diff) | |
download | vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.tar.gz vyos-strongswan-e1d78dc2faaa06e7c3f71ef674a71e4de2f0758e.zip |
New upstream version 5.6.1
Diffstat (limited to 'testing/tests/libipsec/rw-suite-b')
28 files changed, 0 insertions, 2260 deletions
diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt deleted file mode 100644 index a1b09405a..000000000 --- a/testing/tests/libipsec/rw-suite-b/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. -The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b> -certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption. -The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP -encryption. -<p/> -Upon the successful establishment of the IPsec tunnel, an updown script automatically -inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b> -tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping -the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat deleted file mode 100644 index 487a21c57..000000000 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES -moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > carol.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP dave.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > dave.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 8106e28d2..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index a85635faf..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI -zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj -BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME -GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv -bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3 -YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5 -nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR -Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49 -hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index d29ddb9ee..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49 -AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B -rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 3d6725162..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA carolKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 9b6ca682a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftsourceip=%config - leftupdown=/etc/updown - right=PH_IP_MOON - rightid=moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem deleted file mode 100644 index c83be145d..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh -RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c -CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3 -45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi -gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 17e94022e..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49 -AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO -gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index ebd3a2839..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA daveKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush deleted file mode 100644 index b3ab63c51..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush +++ /dev/null @@ -1,21 +0,0 @@ -*filter - --F - --P INPUT ACCEPT --P OUTPUT ACCEPT --P FORWARD ACCEPT - -COMMIT - -*nat - --F - -COMMIT - -*mangle - --F - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules deleted file mode 100644 index 3d99c0197..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -# allow traffic tunnelled via IPsec --A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT --A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT - -COMMIT diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 4ab9a617f..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - initiator_only = yes - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf deleted file mode 100644 index abb34ac91..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="knl 3, esp 3" - -conn %default - ikelifetime=60m - keylife=20m - rekey=no - reauth=no - keyexchange=ikev2 - ike=aes128gcm128-prfsha256-ecp256! - esp=aes128gcm128-ecp256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftupdown=/etc/updown - right=%any - rightsourceip=10.3.0.0/24 - auto=add diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 3480a434a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC -Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 -YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA -BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn -/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM -h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 -t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD -ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM -ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq -cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q -3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index a3b043e82..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG -A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS -b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB -IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO -PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq -/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw -FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz -d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C -DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6 -Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl -RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0= ------END CERTIFICATE----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 5bd2778a9..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49 -AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP -3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ== ------END EC PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ef3eccb5..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: ECDSA moonKey.pem diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d68b6e57a..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown - - plugins { - openssl { - fips_mode = 2 - } - } -} diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown deleted file mode 100755 index 6a5b18de6..000000000 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ /dev/null @@ -1,638 +0,0 @@ -#!/bin/sh -# default updown script -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the AH|ESP policy -# -# PLUTO_PROTO -# is the negotiated IPsec protocol, ah|esp -# -# PLUTO_IPCOMP -# is not empty if IPComp was negotiated -# -# PLUTO_UNIQUEID -# is the unique identifier of the associated IKE_SA -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_SOURCEIP -# PLUTO_MY_SOURCEIP4_$i -# PLUTO_MY_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP received from a responder, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_MY_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. For ICMP/ICMPv6 this contains the -# message type, and PLUTO_PEER_PORT the message code. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_SOURCEIP -# PLUTO_PEER_SOURCEIP4_$i -# PLUTO_PEER_SOURCEIP6_$i -# contains IPv4/IPv6 virtual IP sent to an initiator, -# $i enumerates from 1 to the number of IP per address family. -# PLUTO_PEER_SOURCEIP is a legacy variable and equal to the first -# virtual IP, IPv4 or IPv6. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. For ICMP/ICMPv6 this contains the -# message code, and PLUTO_MY_PORT the message type. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# -# PLUTO_DNS4_$i -# PLUTO_DNS6_$i -# contains IPv4/IPv6 DNS server attribute received from a -# responder, $i enumerates from 1 to the number of servers per -# address family. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# comment to disable logging VPN connections to syslog -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older release?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete release?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" -IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" -IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - -# use protocol specific options to set ports -case "$PLUTO_MY_PROTOCOL" in -1) # ICMP - ICMP_TYPE_OPTION="--icmp-type" - ;; -58) # ICMPv6 - ICMP_TYPE_OPTION="--icmpv6-type" - ;; -*) - ;; -esac - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" - else - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" - fi -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - if [ -n "$ICMP_TYPE_OPTION" ] - then - # the syntax is --icmp[v6]-type type[/code], so add it to the existing option - S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" - D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" - else - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" - fi -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - PLUTO_INTERFACE=ipsec0 - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - fi - ;; -up-host:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IPIP traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IPIP exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -# -# IPv6 -# -up-host-v6:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host-v6:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client-v6:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-client-v6:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - ;; -up-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed) - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host-v6:iptables) - # connection to me, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, coming up - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # allow IP6IP6 traffic because of the implicit SA created by the kernel if - # IPComp is used (for small inbound packets that are not compressed). - # INPUT is correct here even for forwarded traffic. - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client-v6:iptables) - # connection to client subnet, with (left/right)firewall=yes, going down - # This is used only by the default updown script, not by your custom - # ones, so do not mess with it; see CAUTION comment up at top. - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] - then - ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # IP6IP6 exception teardown - if [ -n "$PLUTO_IPCOMP" ] - then - ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ - -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat deleted file mode 100644 index 1865a1c60..000000000 --- a/testing/tests/libipsec/rw-suite-b/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat deleted file mode 100644 index e87a8ee47..000000000 --- a/testing/tests/libipsec/rw-suite-b/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -moon::ipsec start -carol::ipsec start -dave::ipsec start -moon::expect-connection rw -carol::expect-connection home -carol::ipsec up home -dave::expect-connection home -dave::ipsec up home diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf deleted file mode 100644 index f29298850..000000000 --- a/testing/tests/libipsec/rw-suite-b/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" |