diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2016-07-16 15:19:53 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2016-07-16 15:19:53 +0200 |
| commit | bf372706c469764d59e9f29c39e3ecbebd72b8d2 (patch) | |
| tree | 0f0e296e2d50e4a7faf99ae6fa428d2681e81ea1 /testing/tests/libipsec | |
| parent | 518dd33c94e041db0444c7d1f33da363bb8e3faf (diff) | |
| download | vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.tar.gz vyos-strongswan-bf372706c469764d59e9f29c39e3ecbebd72b8d2.zip | |
Imported Upstream version 5.5.0
Diffstat (limited to 'testing/tests/libipsec')
20 files changed, 367 insertions, 22 deletions
diff --git a/testing/tests/libipsec/host2host-cert/evaltest.dat b/testing/tests/libipsec/host2host-cert/evaltest.dat index 105c2a4ed..77c2528ea 100644 --- a/testing/tests/libipsec/host2host-cert/evaltest.dat +++ b/testing/tests/libipsec/host2host-cert/evaltest.dat @@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*su sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES -sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES -sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown index f7ec06498..9ca3bae6e 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown index f7ec06498..9ca3bae6e 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat index b095bf5c4..35c0f3e1c 100644 --- a/testing/tests/libipsec/host2host-cert/pretest.dat +++ b/testing/tests/libipsec/host2host-cert/pretest.dat @@ -2,7 +2,8 @@ moon::sysctl -w net.ipv4.conf.all.rp_filter=2 sun::sysctl -w net.ipv4.conf.all.rp_filter=2 moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start +moon::ipsec start +sun::expect-connection host-host moon::expect-connection host-host moon::ipsec up host-host diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat index f60fea6bf..e71456ef7 100644 --- a/testing/tests/libipsec/net2net-3des/evaltest.dat +++ b/testing/tests/libipsec/net2net-3des/evaltest.dat @@ -4,8 +4,8 @@ moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES -sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES -sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown index 61f65311c..e7c3640d4 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown index 61f65311c..e7c3640d4 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/net2net-3des/pretest.dat b/testing/tests/libipsec/net2net-3des/pretest.dat index 1732d6efa..bcc2cb04d 100644 --- a/testing/tests/libipsec/net2net-3des/pretest.dat +++ b/testing/tests/libipsec/net2net-3des/pretest.dat @@ -1,6 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start +moon::ipsec start +sun::expect-connection net-net moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat index f702ceadf..e489fec64 100644 --- a/testing/tests/libipsec/net2net-cert/evaltest.dat +++ b/testing/tests/libipsec/net2net-cert/evaltest.dat @@ -2,6 +2,6 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun. sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES -sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown index 61f65311c..e7c3640d4 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown index 61f65311c..e7c3640d4 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat index 1732d6efa..bcc2cb04d 100644 --- a/testing/tests/libipsec/net2net-cert/pretest.dat +++ b/testing/tests/libipsec/net2net-cert/pretest.dat @@ -1,6 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start +moon::ipsec start +sun::expect-connection net-net moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/libipsec/net2net-null/evaltest.dat b/testing/tests/libipsec/net2net-null/evaltest.dat index 0cafb4faf..c1aae4032 100644 --- a/testing/tests/libipsec/net2net-null/evaltest.dat +++ b/testing/tests/libipsec/net2net-null/evaltest.dat @@ -4,8 +4,8 @@ moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES moon::ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES sun:: ipsec statusall 2> /dev/null::net-net\[1].*NULL/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES moon::ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*NULL/HMAC_SHA2_256::YES -sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES -sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES +sun::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown index 61f65311c..e7c3640d4 100755 --- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown index 61f65311c..e7c3640d4 100755 --- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/updown @@ -441,6 +441,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -465,6 +473,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -504,6 +519,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -547,6 +571,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/net2net-null/pretest.dat b/testing/tests/libipsec/net2net-null/pretest.dat index 1732d6efa..bcc2cb04d 100644 --- a/testing/tests/libipsec/net2net-null/pretest.dat +++ b/testing/tests/libipsec/net2net-null/pretest.dat @@ -1,6 +1,7 @@ moon::iptables-restore < /etc/iptables.rules sun::iptables-restore < /etc/iptables.rules -moon::ipsec start sun::ipsec start +moon::ipsec start +sun::expect-connection net-net moon::expect-connection net-net moon::ipsec up net-net diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat index 3a9493ba3..487a21c57 100644 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat @@ -11,9 +11,9 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -moon::tcpdump::IP carol.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.4500 > carol.strongswan.org.4500: UDP-encap: ESP::YES -moon::tcpdump::IP dave.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES -moon::tcpdump::IP moon.strongswan.org.4500 > dave.strongswan.org.4500: UDP-encap: ESP::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > carol.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP dave.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > dave.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown index 652d17dab..6a5b18de6 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown @@ -482,6 +482,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -506,6 +514,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -545,6 +560,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -588,6 +612,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown index 652d17dab..6a5b18de6 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown @@ -482,6 +482,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -506,6 +514,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -545,6 +560,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -588,6 +612,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown index 652d17dab..6a5b18de6 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown @@ -482,6 +482,14 @@ up-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -506,6 +514,13 @@ down-host-v6:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -545,6 +560,15 @@ up-client-v6:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IP6IP6 traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -588,6 +612,13 @@ down-client-v6:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IP6IP6 exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p 41 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then |