summaryrefslogtreecommitdiff
path: root/testing/tests/sql/shunt-policies-nat-rw
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2014-07-11 07:23:31 +0200
committerYves-Alexis Perez <corsac@debian.org>2014-07-11 07:23:31 +0200
commit81c63b0eed39432878f78727f60a1e7499645199 (patch)
tree82387d8fecd1c20788fd8bd784a9b0bde091fb6b /testing/tests/sql/shunt-policies-nat-rw
parentc5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (diff)
downloadvyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.tar.gz
vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.zip
Imported Upstream version 5.2.0
Diffstat (limited to 'testing/tests/sql/shunt-policies-nat-rw')
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/description.txt7
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/evaltest.dat12
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql199
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf12
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql195
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules24
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf13
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql199
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets3
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf12
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/posttest.dat8
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/pretest.dat20
-rw-r--r--testing/tests/sql/shunt-policies-nat-rw/test.conf21
18 files changed, 740 insertions, 0 deletions
diff --git a/testing/tests/sql/shunt-policies-nat-rw/description.txt b/testing/tests/sql/shunt-policies-nat-rw/description.txt
new file mode 100644
index 000000000..7d9ebfd90
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/description.txt
@@ -0,0 +1,7 @@
+The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up
+tunnels to gateway <b>sun</b>. They tunnel all traffic to the gateway. In order to prevent
+local traffic within the <b>10.1.0.0/16</b> subnet to enter the tunnel, both set up a <b>local-net</b>
+shunt policy with <b>type=pass</b>.
+<p/>
+In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b>
+ping each other and the client <b>bob</b> behind the gateway <b>sun</b>.
diff --git a/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat
new file mode 100644
index 000000000..4d36673dc
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/evaltest.dat
@@ -0,0 +1,12 @@
+alice::ipsec status 2> /dev/null::local-net.*PASS::YES
+venus::ipsec status 2> /dev/null::local-net.*PASS::YES
+alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES
+venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES
+alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
+alice::tcpdump::IP venus.strongswan.org > alice.strongswan.org: ICMP::YES \ No newline at end of file
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
new file mode 100644
index 000000000..50eccad21
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..b1f5c7d10
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.d/data.sql
@@ -0,0 +1,199 @@
+/* Identities */
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* alice@strongswan.org */
+ 3, X'616c696365407374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* sun.strongswan.org */
+ 2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org' */
+ 11, X'05da04208c02f428470acf6c772d066613da863c'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* %any */
+ 0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org */
+ 1, 1, X'3082041f30820307a003020102020119300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303732345a170d3134303832363130303732345a3057310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311d301b06035504031414616c696365407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100d88d6a4811e6972dd0daa2adf3c911bf5edd8664607bea67f45427a11af59184f0ab90c46007b8b5aa69fff71ab2ff2d822cd5f4c9ec94cd32ef8f49e73c91ff48e40c48b4fcdbfae4b023d857431865349f15f998ecf50dc65ffe7dc12dc37071788bc6fcf08fdfeda2c6c073a84724ff5193d73c622b1d2f545a1ff9d3ffd0fc62eb7a2be85bae427e3ee8362df0313630641e4cc8f639abd311718c843dad0634cd06cf361f204910cfc9ee48bfea590ae62e6952e8ab70e4bdc75ec51a2a29c6b74c48ee32c65a1e32b27ae330dc4acd1b762c84ea48fb684d3476241e9ae7feb9e38981d85184ae949dfcb8064e6c333a096864ba6c420b0deb18e952fb0203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041405da04208c02f428470acf6c772d066613da863c306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d11041830168114616c696365407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b0500038201010056bf83e11c656988b179337467a902d2a111632aa9f737d59ef35456c15469073c285046878b37a569572df45260eadec593f0fc174c1a8391052a5720290f1f77fd2a2c4dfddeec066f80efaa5db0e3d34514352c939142fa93140c062c587c85bb6e96298e647da33034c3491cae9ee26ebe5a6a32e6e9646adc032510ea9321b5d5827fa749f41c01b50c12682fdd3bf54fb14314fef5ad9fed368e07f51b40d3af3a0a9a75d939b940d38ea9d8fdb96d6c002eb88d5934cacf082354a2b71d8724896f5b6517f2574d307a37ad17a984589e4e53d727ed354d00036ea082c92fe0c303c206021acc99b825fdbd6f97b00ad1409e5fb1264388eed1f054f6'
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 2
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 3
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 4
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 6
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+ type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=alice@strongswan.org' */
+ 1, X'308204a40201000282010100d88d6a4811e6972dd0daa2adf3c911bf5edd8664607bea67f45427a11af59184f0ab90c46007b8b5aa69fff71ab2ff2d822cd5f4c9ec94cd32ef8f49e73c91ff48e40c48b4fcdbfae4b023d857431865349f15f998ecf50dc65ffe7dc12dc37071788bc6fcf08fdfeda2c6c073a84724ff5193d73c622b1d2f545a1ff9d3ffd0fc62eb7a2be85bae427e3ee8362df0313630641e4cc8f639abd311718c843dad0634cd06cf361f204910cfc9ee48bfea590ae62e6952e8ab70e4bdc75ec51a2a29c6b74c48ee32c65a1e32b27ae330dc4acd1b762c84ea48fb684d3476241e9ae7feb9e38981d85184ae949dfcb8064e6c333a096864ba6c420b0deb18e952fb0203010001028201005877fd918fee9a9897189b1961dd2528ff8294e2f11feeb5a575b3f2f766979aae10094690ccd6c330e9b92ea473b818497433bc9bb9d158bb946eff8c3e8c8eb4a2a5fa1626af6022896b3b78faea3e7e6ef7b54eaa8fba9eee9cb3977630c0013b742f492aa63c9f82be9be5243c5c7b0a42d1cdd37535a91e56eb754f0cd4fdc52d015f22635c84b70fcaca2c8bfc8eda277cd9d6983ee6445224b283ad195fd3143e23b018d765eb4a299b2eac66c95996abbe059bf60058682f8bf371d38660fc2e30a7803e8b316d37ccd68e4b58d5bad1ac29d17d411c7afbf984fa85c5f38f16607dc7b997ffc787e6fd93f9747db30a05f76c561f1439eed701e0d102818100ebd741cb81a87794d6d45c93ec36e028777b055b4e54b8ec6d0c5cf1434137f9877a650632cd6f95e996d193dd754dbfaea7778e566e3f8cefffa0fd399d289a2f1ab9e8ced96c006eeb7a2415fe765bc5f7ea30c94de10ab6b27056b1648327f89cd76c8ba799552b544d50be904568d5e50b8edc3bc0a6425315d270a1cd9f02818100eb10151752f48aa212b02bb4ab588ce0bb47553f78e28f35e41f1195110e3f144e5c968943ca61550813e4f5d19076439f9e5998aaa4017d8ac230508f429f52f989e83f13e8e64e7b4f3fa12c2206b069490b07dc003b9a60d7c93de046c99ad239e370d1a379c1bd5576c98999c17ad19d2eebd29d561f764730e1ab6d85250281810085a14c689128f1c8e6092203b6de4918e4ca51f8b06394fc71b5859c36ad6797fdc9be204afcd8732b0e07e62e9f5ed47393f44c3470f795560f941aa760833709e5acdd5b071b090bd0653eb92f9bc4d86166d309dd14dc4b34c42e7b0926bfa940c5577db213518ce1918564d4be5f6e82ff8f8cfe56645e4451a311aabca502818100ba03b20d11127f9a9e1b579ad37571966ddd97327161285f4734e6df05ee3630c58a337e506d18f5073d6714b8500fa697ebe18f148a50bb9e50e996f6a78c19476bc0a41a075629891f3f8535bd7f799ef7b488f5aa21809b5e67dc555cef315b677ffac98b0a512c9933356d74854dc20f17107b4d12d836eb435d72216b190281804440408c4ca3597067faedf8e603a3cca4c1a5c1b5469b25d860ae08f8844d5055b2ae935a966aff2d78fb9b5118731e012bb06ba435209e6f2adfb040c183a2a0b24558b2b9f225b507e42f83a8e5c27afe65a621671f780ff48bf46b9041342dc6515ec7859a95eed1f3135db7bc6e5490faa44de6155917378f8eac8f8459'
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 4
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 6
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ 'PH_IP_ALICE', 'PH_IP_SUN'
+);
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ '%any', '%any'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+ 'nat-t', 1, 4, 5, '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, auth_method
+) VALUES (
+ 'shunts', 2, 7, 7, 0
+);
+
+INSERT INTO child_configs (
+ name
+) VALUES (
+ 'nat-t'
+);
+
+INSERT INTO child_configs (
+ name, mode, start_action
+) VALUES (
+ 'local-net', 4, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 2, 2
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+ 7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 0.0.0.0/0 */
+ 7, X'00000000', X'ffffffff'
+);
+
+INSERT INTO traffic_selectors (
+ type
+) VALUES ( /* dynamic/32 */
+ 7
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 2, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 3, 2
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 1
+);
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
new file mode 100644
index 000000000..2f01cdcce
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ plugins {
+ sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+
+ keep_alive = 5
+}
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..50eccad21
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..4e9975912
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.d/data.sql
@@ -0,0 +1,195 @@
+/* Identities */
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* sun.strongswan.org */
+ 2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+ 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* %any */
+ 0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */
+ 1, 1, X'3082042030820308a003020102020116300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373039353930345a170d3134303832363039353930345a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c10203010001a38201193082011530090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e0416041456d69e2fdaa8a1cd195c2353e7c5b67096e30bfb306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100a37ecb613f40c31d0c2bf9c0159a4f26a52bd04cbe3b952472c771ee7774d12966a6241163c2a6b915c20509c312074bb2d777b254234f4a49120585d29cf1c9b9c8e9e3b360084b7e16abb7e5f58544623466d78e0826dace08e7e2b7d9b54890d12a96c62777fe85f68a3964d3b4fde4d3aee2d97e435eff372104629efd9ecc69c57095859609b32d055e0ad5de5d19c45182943d5a2bc39666ad361f7096c7034a04869371c991bc67abaf7954def351b0d6014bd65a15796c80e394047fc724fd029a88c62c95551ba57d8ac4ed4d391dbb7a1a002ba0028ba7aa89ba9f7e4f14002928ca23027485feceb98c90f1366d5474bb00e866f93ff91bf8c618'
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 2
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 3
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 4
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 5
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+ type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */
+ 1, X'308204a40201000282010100df95548a67e90e63694fff10dea9e80e5c49f51f8412b49856b695a145661fd8d21eba017aaaad0dd7f75ee1ed836c4a4ebca28c18f61f48de03b1ee135506c26bd958dd602f9bd2ae4d4e16b4f7f0399a29affe9ad88faa34c9ac31a0f8e80ecf5887b0fb29ff85f1f920934b2d9472595fae89edd36b1576e0d7106577e129e4eaf615b119f50594a51413ba176936dff8f58bb1439f437a663d2116f0b2b2821c7d261ab26c0dda9e6f46a9fbc42f4971e30add5fafd30d29668014040b2902387b475ad67b4f08440b784f37dfe34d441806b9f9342aa193dde017aabc5af401085099d570f7b141da94323714a5715bf1637345607c1208770432ba16c102030100010282010031f9d618cddb393d1d5825426713016cdc5227b970b321acff8cf66b42f0ede3702c30158e8ec1f9db314f031f2d0632a1e0e6507c6fdf545153f01cb0338c3c3f11291cea9819b381048494ecc492ecbd39de3e01ecb048325e75dfee045512a2643e885fcbe672d140877885105e2325390ef183b883321c0d6be51d592b79dfd0f3b522a29509f6c5d3d98c59cc4f4fe9aef978340ffc667e78fd27560eae7245d2d66fa10ad55ef2277ebcec65d1d63cc6b60cbb4d7ba77142554d8817ed174fd539fa8160fc60043f45f4f40dd5989b85874a049bf7f356f250591f6cb2de183e94d8287d712f4df0643b94325b7d4b22bd2d095eb384921c63d33168a502818100f6c92d6977e13cb7b41028dd79010eab910ab83ac2be248a08eb8057804348eb1dc3afb92d67d855bfe891ef0def494bdd109b95c8f5a4e296522d8efd2a4425d0d176e8b0da033d717b77fdb0a14931c2e13b08c7137f0dbf4e1a0ef6919e2c458e40bbecf20004180705e1156bb1d7de09939a8ad096e5346f49e5032a643702818100e7ee610601d43043bea5d304e6502249ce4f70d4de8e903a8fe3a2902878fc7157cb70bf74bc7e0acd7e7a0c3ae1cf2255a22f344a3b9fb13d2347b75ea6a73d15e1327051acffb7f4e56c58f999d7c2e2d878bce0ac09ca2f18d759775c93aa698a45c0c554b99a7147475f1b993fe46c13fed12499006094e806de6db350c702818100e26dd577d6a1579769e405caa7329c26388f3057e1c49a3bf85133d19502a74dea6258c1bbf272e0c292fe0aebab28822dd4061cd964e123712ef75421defce601819eeb8310953674000829413dcaad9894151949a70ec52b48dac9eddbcfd7e8fdcb5161e6ecb2d4e4e4b50f755f98a3c5ffa325489b9ab39084a9564d37e302818047f5087b21a42099541404a55783732fece76ebd4c9374a206b47c62377c59ee1c6c0cfe098cd59a2a695c1a61465fca6a41185e23cddddcd27818af0699b3f75acb74a7ae5f7b332ab2e76baf7d1098f162720b3fb580900f0ea8f9a3f3c008b617e54e4aaadfaed0086a5752abb84bf95036d5d281f9c0fd5203978cf77e4f028181009b29e83640d4b6aa13c81bd79aa890d13aec66c5bff4eddece05cb60320c55bca86a5bd856e364b2809e7d7f2cf94231416927dc39d7f88242b211ac15a38e7fabaca6210537ed1e2f178096f59dc27da21bc09a7b2dc1d5cc7d3bb28fc736c66e6ba19609208b254e4c782462673936445892f4a21a2cfe2066776fe255ce89'
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 4
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 5
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ 'PH_IP_SUN', '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, pool
+) VALUES (
+ 'nat-t', 1, 4, 6, 'vips'
+);
+
+INSERT INTO child_configs (
+ name, updown
+) VALUES (
+ 'nat-t', 'ipsec _updown iptables'
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 0.0.0.0/0 */
+ 7, X'00000000', X'ffffffff'
+);
+
+INSERT INTO traffic_selectors (
+ type
+) VALUES ( /* dynamic/32 */
+ 7
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 2, 3
+);
+
+/* Pools */
+
+INSERT INTO pools (
+ name, start, end, timeout
+) VALUES (
+ 'vips', X'0a030001', X'0a030006', 0
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030001'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030002'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030003'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030004'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030005'
+);
+
+INSERT INTO addresses (
+ pool, address
+) VALUES (
+ 1, X'0a030006'
+);
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
new file mode 100644
index 000000000..ae8f9a61e
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/iptables.rules
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow IKE
+-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..16e934968
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ plugins {
+ sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ attr-sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql attr-sql
+}
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
new file mode 100644
index 000000000..50eccad21
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# configuration is read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql
new file mode 100644
index 000000000..e00d00e34
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.d/data.sql
@@ -0,0 +1,199 @@
+/* Identities */
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */
+ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* venus.strongswan.org */
+ 2, X'76656e75732e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* sun.strongswan.org */
+ 2, X'73756e2e7374726f6e677377616e2e6f7267'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=venus.strongswan.org' */
+ 11, X'8f5c0a6cb147fc1b51708046e0636c7a54012d67'
+ );
+
+INSERT INTO identities (
+ type, data
+) VALUES ( /* %any */
+ 0, '%any'
+);
+
+/* Certificates */
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */
+ 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f'
+);
+
+INSERT INTO certificates (
+ type, keytype, data
+) VALUES ( /* C=CH, O=Linux strongSwan, CN=venus.strongswan.org */
+ 1, 1, X'3082040f308202f7a003020102020118300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303532325a170d3134303832363130303532325a3047310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311d301b0603550403131476656e75732e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b3452cb2d9328eebcd929c7fbe66652a90484c9c8699f4df163974d6e538754570cc4df28659463cb3778a32d2b5e1cfde8a546c335de5d1b8795b1af43522a8826593f83eb67292e487506c0eb251fd67207af7f6d56e90eb57ebab0c787054f8ce3a283eebe1146b1920584f516cc88bf8ec3dae936e27059ed27f6f8ba154197cc21577274819f1f1990271ca6cd2f349a1e7b10ddb2ef4a07f473309ff6db19bf16af2b0dd3d5956cd6d3daf75e617dce2578b4c6c993fd89debf5543f41da66c0fd709fe1ce39c452f51f1290ffe45396663acfa9b8ac116e1460ac70b3db6b9836f74997aaba4c4a9b9651a80845998e69ea32777c76e6a6d8c0d7b9430203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604148f5c0a6cb147fc1b51708046e0636c7a54012d67306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d1104183016821476656e75732e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b05000382010100ae4f8bf839636df8b4471315613455d83870ac487d945ec0538e648d73fd159fce8a8f67a6330f5e41d6da0a66b006b2aca1749e3243f070c49a5d80d0ac70c7a593332e6dc2d72fd42e80f4b8873e0c2e4251dad0c2640fe61544c46c043074d482c52a3f974bd9e4a5d483dcb9cd98425a96621c90579f3ff9ebbc272b5e89df1f5362d761e2c4fecbed2f1e0be8b14b36b2b45390ad960c3c6587d5d3721ec3672acbba245116b5a373acbd4e1547fea40d5f0101ab6b7d5188d0515cb1efb81542688bacf53b5232f8201a19981355fd5275d3eae61a3d5e1b59c3a60abaa014eb6c4b2ff08c7bcbf33389307c3ce8f774a8e5d9466645507031b9cda989'
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 2
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 1, 3
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 4
+);
+
+INSERT INTO certificate_identity (
+ certificate, identity
+) VALUES (
+ 2, 6
+);
+
+/* Private Keys */
+
+INSERT INTO private_keys (
+ type, data
+) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=venus.strongswan.org' */
+ 1, X'308204a20201000282010100b3452cb2d9328eebcd929c7fbe66652a90484c9c8699f4df163974d6e538754570cc4df28659463cb3778a32d2b5e1cfde8a546c335de5d1b8795b1af43522a8826593f83eb67292e487506c0eb251fd67207af7f6d56e90eb57ebab0c787054f8ce3a283eebe1146b1920584f516cc88bf8ec3dae936e27059ed27f6f8ba154197cc21577274819f1f1990271ca6cd2f349a1e7b10ddb2ef4a07f473309ff6db19bf16af2b0dd3d5956cd6d3daf75e617dce2578b4c6c993fd89debf5543f41da66c0fd709fe1ce39c452f51f1290ffe45396663acfa9b8ac116e1460ac70b3db6b9836f74997aaba4c4a9b9651a80845998e69ea32777c76e6a6d8c0d7b9430203010001028201002f45f48d8d1cf9f7509472d474df079a7bc5b4fe29b87b8c408e123380eaac720d56b2cf5b823b355296194961ab38cada025c54d40ed4c5c301ad76a42346ea6cc86086bbf2dcafc3b7b30b6bacb6563e55a057b72d7d24960aef4881d758b7ef8c6265ae82012ea3375302369860395a3fdffc3c0700ab259e461ff8c83758469107b2178f13fb996880c7d71810ef6bfc2ace9f9f3dec4d82ba74965f67610c512d82b1d6ea617f97ec248b90cec556cf8ed31173d34005ef1c9f203f513fe9d21a43e7cbad3f3b9564a8eddd0b5a570acdda017953501b0fd1a1d61c51d72087c903de5f432d15ee0a83c571d13d122794574445891e6cce1272d9dfc58102818100eaf147f15cdcf46f7d2c86465f611f3837f027ad93cc33ce82ab9b50ca5046ac9d4f103d19a3c62b2a05ec61182b72bcb238bfb87d6a7288144b8eaf5cd72f9b9c5eec1e4e3e07d32c5ead7cc695781bc0e8f7c63a2af1ab3beb1434e9f837489ce38ef4ac2f5542cabd6b487a14884f5d848ca5cfc6730287fbd33769e0836102818100c3568067b881ace3d24c57f74beacc804312bf7b39efc61383a86568d7c3bd3102f734040e0ee4e0cc5f7d1c8128baa274b525659adc4eccdd3b6e5ce7ac3bc6317070bc25159b9aa2e9459fe38defbfdeb9db420231a39e6c5442eaeece6a21f18c8bcc1074a041b39b8bb8e812b7fce0c8cd0c6964bd0c5144d79622dfa323028180392b0af17d423aac624e12424f75278e9b75f181b824093b27eaaff961b154f12dba0e5e7fbdad3bd596e964dae7bf9c90d56439753310b9720ecca27939d758cb1d01e181f2701eff7dee431d63437da55c4ae64e4322d922d459ef623b46e0816491e5917c5707d0a374d686f63610f1d58e0fced620282e84a569a776bd2102818062d907297588c980900eea04ce7a06fa70f6afc71fce6221c5e2154f34c06ca0bcab73bb099227e84a039840306bf7e5f5c12527817232be20c5ce575d351f1a7032421a3379f7c00ce896bf0e5be912e3169209992a9d6db1cc0200f8cfa38d81ba6993de4fe638d936c141d4ce8424876b95b7ce2d982cff8322c56ae8589902818050666db5164e14c675a5a10ab49cef6dfedb60d92a5b588863901500df38838004277f75d161f15e1efeb855b2054e1f532d10824f478a14916df9eada5bf034d59478c426b7cb755a91065034fa147e0ba030f77ef1db9b1634cb94016c3bda9647887ba112756d6e84bcf10b309165290036d31f89508abd038e063c5b7dea'
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 4
+);
+
+INSERT INTO private_key_identity (
+ private_key, identity
+) VALUES (
+ 1, 6
+);
+
+/* Configurations */
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ 'PH_IP_VENUS', 'PH_IP_SUN'
+);
+
+INSERT INTO ike_configs (
+ local, remote
+) VALUES (
+ '%any', '%any'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, virtual
+) VALUES (
+ 'nat-t', 1, 4, 5, '0.0.0.0'
+);
+
+INSERT INTO peer_configs (
+ name, ike_cfg, local_id, remote_id, auth_method
+) VALUES (
+ 'shunts', 2, 7, 7, 0
+);
+
+INSERT INTO child_configs (
+ name
+) VALUES (
+ 'nat-t'
+);
+
+INSERT INTO child_configs (
+ name, mode, start_action
+) VALUES (
+ 'local-net', 4, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 1, 1
+);
+
+INSERT INTO peer_config_child_config (
+ peer_cfg, child_cfg
+) VALUES (
+ 2, 2
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 10.1.0.0/16 */
+ 7, X'0a010000', X'0a01ffff'
+);
+
+INSERT INTO traffic_selectors (
+ type, start_addr, end_addr
+) VALUES ( /* 0.0.0.0/0 */
+ 7, X'00000000', X'ffffffff'
+);
+
+INSERT INTO traffic_selectors (
+ type
+) VALUES ( /* dynamic/32 */
+ 7
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 2, 1
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 1, 3, 2
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 0
+);
+
+INSERT INTO child_config_traffic_selector (
+ child_cfg, traffic_selector, kind
+) VALUES (
+ 2, 1, 1
+);
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets
new file mode 100644
index 000000000..76bb21bea
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# secrets are read from SQLite database
diff --git a/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
new file mode 100644
index 000000000..2f01cdcce
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,12 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ plugins {
+ sql {
+ database = sqlite:///etc/ipsec.d/ipsec.db
+ }
+ }
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite sql
+
+ keep_alive = 5
+}
diff --git a/testing/tests/sql/shunt-policies-nat-rw/posttest.dat b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
new file mode 100644
index 000000000..f410dd776
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/posttest.dat
@@ -0,0 +1,8 @@
+sun::ipsec stop
+alice::ipsec stop
+venus::ipsec stop
+sun::iptables-restore < /etc/iptables.flush
+alice::rm /etc/ipsec.d/ipsec.*
+venus::rm /etc/ipsec.d/ipsec.*
+sun::rm /etc/ipsec.d/ipsec.*
+moon::iptables -t nat -F \ No newline at end of file
diff --git a/testing/tests/sql/shunt-policies-nat-rw/pretest.dat b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
new file mode 100644
index 000000000..0314e7ad1
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/pretest.dat
@@ -0,0 +1,20 @@
+alice::rm /etc/ipsec.d/cacerts/*
+venus::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
+alice::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+venus::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+sun::cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql
+alice::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+venus::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db
+sun::iptables-restore < /etc/iptables.rules
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100
+moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100
+alice::ipsec start
+venus::ipsec start
+sun::ipsec start
+alice::expect-connection nat-t
+venus::expect-connection nat-t
+sun::expect-connection nat-t
+alice::ipsec up nat-t
+venus::ipsec up nat-t \ No newline at end of file
diff --git a/testing/tests/sql/shunt-policies-nat-rw/test.conf b/testing/tests/sql/shunt-policies-nat-rw/test.conf
new file mode 100644
index 000000000..bd82f03ad
--- /dev/null
+++ b/testing/tests/sql/shunt-policies-nat-rw/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="alice moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="alice venus sun"
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 12:03:23 +0000