Imported Upstream version 5.2.0

author: Yves-Alexis Perez <corsac@debian.org> 2014-07-11 07:23:31 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2014-07-11 07:23:31 +0200
commit: 81c63b0eed39432878f78727f60a1e7499645199 (patch)
tree: 82387d8fecd1c20788fd8bd784a9b0bde091fb6b /testing/tests/pfkey
parent: c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (diff)
download: vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.tar.gz
vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.zip
26 files changed, 214 insertions, 111 deletions
diff --git a/testing/tests/pfkey/compress/description.txt b/testing/tests/pfkey/compress/description.txt
new file mode 100644
index 000000000..4c60384f0
--- /dev/null
+++ b/testing/tests/pfkey/compress/description.txt
@@ -0,0 +1,4 @@
+This scenario enables IPComp compression between roadwarrior <b>carol</b> and
+gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> check
+the established tunnel with compression. The packet sizes of the two pings
+are different because the kernel does not compress small packets.
diff --git a/testing/tests/pfkey/compress/evaltest.dat b/testing/tests/pfkey/compress/evaltest.dat
new file mode 100644
index 000000000..843326ecc
--- /dev/null
+++ b/testing/tests/pfkey/compress/evaltest.dat
@@ -0,0 +1,12 @@
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES
+moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES
+moon:: ip xfrm state::proto comp spi::YES
+carol::ip xfrm state::proto comp spi::YES
+carol::ping -n -c 1 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES
+carol::ping -n -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES
+moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::moon.strongswan.org >  carol.strongswan.org: ESP::YES
diff --git a/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf b/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..78809898b
--- /dev/null
+++ b/testing/tests/pfkey/compress/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	compress=yes
+	leftfirewall=yes
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	right=PH_IP_MOON
+	rightsubnet=10.1.0.0/16
+	rightid=@moon.strongswan.org
+	auto=add
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
index 902d83c69..2061e52e9 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,4 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-  multiple_authentication = no
 }
diff --git a/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..718b3c814
--- /dev/null
+++ b/testing/tests/pfkey/compress/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,21 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+	compress=yes
+	leftfirewall=yes
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	right=%any
+	rightid=carol@strongswan.org
+	auto=add
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
index 4582e1473..2061e52e9 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
@@ -2,6 +2,4 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
-  multiple_authentication = no
-  install_routes = no
 }
diff --git a/testing/tests/pfkey/compress/posttest.dat b/testing/tests/pfkey/compress/posttest.dat
new file mode 100644
index 000000000..046d4cfdc
--- /dev/null
+++ b/testing/tests/pfkey/compress/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+carol::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/pfkey/compress/pretest.dat b/testing/tests/pfkey/compress/pretest.dat
new file mode 100644
index 000000000..29a90355f
--- /dev/null
+++ b/testing/tests/pfkey/compress/pretest.dat
@@ -0,0 +1,6 @@
+carol::iptables-restore < /etc/iptables.rules
+moon::iptables-restore < /etc/iptables.rules
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
diff --git a/testing/tests/pfkey/compress/test.conf b/testing/tests/pfkey/compress/test.conf
new file mode 100644
index 000000000..d7b71426c
--- /dev/null
+++ b/testing/tests/pfkey/compress/test.conf
@@ -0,0 +1,22 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/description.txt b/testing/tests/pfkey/shunt-policies-nat-rw/description.txt
new file mode 100644
index 000000000..7d9ebfd90
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway.  In order to prevent
+local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
+shunt policy with <b>type=pass</b>.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat
new file mode 100644
index 000000000..4d36673dc
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::local-net.*PASS::YES
+venus::ipsec status 2> /dev/null::local-net.*PASS::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES
+\ No newline at end of file
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
index 90a5d61b1..4c6e51df7 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
@@ -8,7 +8,16 @@ conn %default
 	rekeymargin=3m
 	keyingtries=1
 	keyexchange=ikev2
-	mobike=no
+
+conn nat-t
+	left=%any
+	leftcert=aliceCert.pem
+	leftid=alice@strongswan.org
+	leftsourceip=%config
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
 
 conn local-net
 	leftsubnet=10.1.0.0/16
@@ -16,25 +25,3 @@ conn local-net
 	authby=never
 	type=pass
 	auto=route
-
-conn venus-icmp
-	leftsubnet=10.1.0.20/32
-	rightsubnet=0.0.0.0/0
-	leftprotoport=icmp
-	rightprotoport=icmp
-	leftauth=any
-	rightauth=any	
-	type=drop
-	auto=route
-
-conn net-net 
-	left=PH_IP_MOON
-	leftcert=moonCert.pem
-	leftid=@moon.strongswan.org
-	leftsubnet=10.1.0.0/16
-	leftfirewall=yes
-	lefthostaccess=yes
-	right=PH_IP_SUN
-	rightid=@sun.strongswan.org
-	rightsubnet=0.0.0.0/0
-	auto=add
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..7e96bf1c4
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
index cd8ea23c3..90a8ae26e 100644
--- a/testing/tests/pfkey/shunt-policies/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
@@ -6,17 +6,15 @@ conn %default
 	ikelifetime=60m
 	keylife=20m
 	rekeymargin=3m
-        keyingtries=1
+	keyingtries=1
 	keyexchange=ikev2
-	mobike=no
 
-conn net-net 
+conn nat-t
 	left=PH_IP_SUN
 	leftcert=sunCert.pem
 	leftid=@sun.strongswan.org
-	leftsubnet=0.0.0.0/0
 	leftfirewall=yes
-	right=PH_IP_MOON
-	rightid=@moon.strongswan.org
-	rightsubnet=10.1.0.0/16
+	leftsubnet=0.0.0.0/0
+	right=%any
+	rightsourceip=10.3.0.0/28
 	auto=add
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..c0f605d26
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+}
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..ade641503
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn nat-t
+	left=%any
+	leftcert=venusCert.pem
+	leftid=@venus.strongswan.org
+	leftsourceip=%config
+	right=PH_IP_SUN
+	rightid=@sun.strongswan.org
+	rightsubnet=0.0.0.0/0
+	auto=add
+
+conn local-net
+	leftsubnet=10.1.0.0/16
+	rightsubnet=10.1.0.0/16
+	authby=never
+	type=pass
+	auto=route
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..7e96bf1c4
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,7 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+
+  keep_alive = 5
+}
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat
new file mode 100644
index 000000000..1ff2c0644
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/posttest.dat
@@ -0,0 +1,5 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+sun::iptables-restore < /etc/iptables.flush
+moon::iptables -t nat -F
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat b/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat
new file mode 100644
index 000000000..b96aa0ce7
--- /dev/null
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/pretest.dat
@@ -0,0 +1,11 @@
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+sun::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t
+\ No newline at end of file
diff --git a/testing/tests/pfkey/shunt-policies/test.conf b/testing/tests/pfkey/shunt-policies-nat-rw/test.conf
index 6b7432ca6..bd82f03ad 100644
--- a/testing/tests/pfkey/shunt-policies/test.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/test.conf
@@ -5,17 +5,17 @@
 
 # All guest instances that are required for this test
 #
-VIRTHOSTS="alice moon winnetou sun bob"
+VIRTHOSTS="alice venus moon winnetou sun bob"
 
 # Corresponding block diagram
 #
 DIAGRAM="a-v-m-w-s-b.png"
- 
+
 # Guest instances on which tcpdump is to be started
 #
-TCPDUMPHOSTS="sun"
+TCPDUMPHOSTS="alice moon"
 
 # Guest instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon sun"
+IPSECHOSTS="alice venus sun"
diff --git a/testing/tests/pfkey/shunt-policies/description.txt b/testing/tests/pfkey/shunt-policies/description.txt
deleted file mode 100644
index ad98eb8d5..000000000
--- a/testing/tests/pfkey/shunt-policies/description.txt
+++ /dev/null
@@ -1,11 +0,0 @@
-All traffic from the clients <b>alice</b> and <b>venus</b> is tunneled
-by default gateway <b>moon</b> to VPN gateway <b>sun</b>. In order to
-prevent local traffic within the <b>10.1.0.0/16</b> subnet to enter the
-tunnel, a <b>local-net</b> shunt policy with <b>type=pass</b> is set up.
-In order for the shunt to work, automatic route insertion must be disabled
-by adding <b>install_routes = no</b> to the charon section of <b>strongswan.conf</b>.
-<p/>
-In order to demonstrate the use of <b>type=drop</b> shunt policies, the
-<b>venus-icmp</b> connection prevents ICMP traffic to and from <b>venus</b>
-to use the IPsec tunnel by dropping such packets. Since this policy does not
-apply to the local net, <b>venus</b> and <b>moon</b> can still ping each other.
diff --git a/testing/tests/pfkey/shunt-policies/evaltest.dat b/testing/tests/pfkey/shunt-policies/evaltest.dat
deleted file mode 100644
index 6ba3a988f..000000000
--- a/testing/tests/pfkey/shunt-policies/evaltest.dat
+++ /dev/null
@@ -1,20 +0,0 @@
-moon:: ipsec status 2> /dev/null::local-net.*PASS::YES
-moon:: ipsec status 2> /dev/null::venus-icmp.*DROP::YES
-moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
-sun::  ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-sun::  ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO
-venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-bob::  ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-bob::  ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES
-bob::  ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
-sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-venus::ssh PH_IP_BOB hostname::bob::YES
-bob::ssh PH_IP_VENUS hostname::venus::YES
diff --git a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
deleted file mode 100644
index af0f25209..000000000
--- a/testing/tests/pfkey/shunt-policies/hosts/moon/etc/iptables.rules
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow icmp in local net
--A INPUT  -i eth1 -p icmp -j ACCEPT
--A OUTPUT -o eth1 -p icmp -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/pfkey/shunt-policies/posttest.dat b/testing/tests/pfkey/shunt-policies/posttest.dat
deleted file mode 100644
index 837738fc6..000000000
--- a/testing/tests/pfkey/shunt-policies/posttest.dat
+++ /dev/null
@@ -1,5 +0,0 @@
-moon::ipsec stop
-sun::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-sun::iptables-restore < /etc/iptables.flush
-
diff --git a/testing/tests/pfkey/shunt-policies/pretest.dat b/testing/tests/pfkey/shunt-policies/pretest.dat
deleted file mode 100644
index c724e5df8..000000000
--- a/testing/tests/pfkey/shunt-policies/pretest.dat
+++ /dev/null
@@ -1,6 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-sun::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-sun::ipsec start
-moon::sleep 1 
-moon::ipsec up net-net
author	Yves-Alexis Perez <corsac@debian.org>	2014-07-11 07:23:31 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2014-07-11 07:23:31 +0200
commit	81c63b0eed39432878f78727f60a1e7499645199 (patch)
tree	82387d8fecd1c20788fd8bd784a9b0bde091fb6b /testing/tests/pfkey
parent	c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (diff)
download	vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.tar.gz vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.zip