diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 11:25:24 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-06-23 11:25:24 +0000 |
commit | 41787e147279ff0695e9d759487266a60b80867b (patch) | |
tree | 8f28566c8fd7106c80d2536d2df540dbb4499cc5 /testing/tests | |
parent | c3e7f611ea8273c6b3909cb006ade4903a74aad0 (diff) | |
download | vyos-strongswan-41787e147279ff0695e9d759487266a60b80867b.tar.gz vyos-strongswan-41787e147279ff0695e9d759487266a60b80867b.zip |
[svn-upgrade] Integrating new upstream version, strongswan (4.3.2)
Diffstat (limited to 'testing/tests')
412 files changed, 3042 insertions, 416 deletions
diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/description.txt b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt new file mode 100644 index 000000000..604fb45df --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-serpent/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>SERPENT_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and +<b>SERPENT_CBC_256 / HMAC_SHA2_256 </b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat new file mode 100644 index 000000000..2be8f675f --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-serpent/evaltest.dat @@ -0,0 +1,10 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES +moon::ipsec statusall::IKE proposal: SERPENT_CBC_256/HMAC_SHA2_512/MODP_4096::YES +carol::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: SERPENT_CBC_256/HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(serpent)::YES +moon::ip xfrm state::enc cbc(serpent)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf index b050f022a..b050f022a 100755 --- a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0c6fd2c9f --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = gcrypt hmac pubkey curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf index 75830f043..75830f043 100755 --- a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0c6fd2c9f --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-serpent/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = gcrypt hmac pubkey curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-serpent/posttest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat index c6d6235f9..c6d6235f9 100644 --- a/testing/tests/ikev1/alg-serpent/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/posttest.dat diff --git a/testing/tests/ikev1/alg-serpent/pretest.dat b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat index 6d2eeb5f9..6d2eeb5f9 100644 --- a/testing/tests/ikev1/alg-serpent/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-serpent/pretest.dat diff --git a/testing/tests/ikev1/alg-serpent/test.conf b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf index a6c8f026c..a6c8f026c 100644 --- a/testing/tests/ikev1/alg-serpent/test.conf +++ b/testing/tests/gcrypt-ikev1/alg-serpent/test.conf diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/description.txt b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt new file mode 100644 index 000000000..b65ea7b8d --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-twofish/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>TWOFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and +<b>TWOFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat new file mode 100644 index 000000000..34c9d1c65 --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-twofish/evaltest.dat @@ -0,0 +1,10 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES +moon::ipsec statusall::IKE proposal: TWOFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES +carol::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: TWOFISH_CBC_256/HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(twofish)::YES +moon::ip xfrm state::enc cbc(twofish)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf index 71ed47519..71ed47519 100755 --- a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0c6fd2c9f --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = gcrypt hmac pubkey curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf index ba739f887..ba739f887 100755 --- a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0c6fd2c9f --- /dev/null +++ b/testing/tests/gcrypt-ikev1/alg-twofish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = gcrypt hmac pubkey curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat index c6d6235f9..c6d6235f9 100644 --- a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/posttest.dat diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat index 7d077c126..7d077c126 100644 --- a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat +++ b/testing/tests/gcrypt-ikev1/alg-twofish/pretest.dat diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf index a6c8f026c..a6c8f026c 100644 --- a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf +++ b/testing/tests/gcrypt-ikev1/alg-twofish/test.conf diff --git a/testing/tests/gcrypt-ikev1/rw-cert/description.txt b/testing/tests/gcrypt-ikev1/rw-cert/description.txt new file mode 100644 index 000000000..f60f5b1ad --- /dev/null +++ b/testing/tests/gcrypt-ikev1/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b> +plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat new file mode 100644 index 000000000..1a9b9159f --- /dev/null +++ b/testing/tests/gcrypt-ikev1/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IPsec SA established::YES +dave::ipsec statusall::IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf index 40d31c0ac..80dae3719 100755 --- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/ipsec.conf @@ -1,25 +1,25 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 + crlcheckinterval=180 strictcrlpolicy=no charonstart=no + plutodebug=control conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha1-modp1536! - esp=aes128-sha! + keyexchange=ikev1 + ike=3des-sha1-modp1536! conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org + leftfirewall=yes right=PH_IP_MOON - rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 auto=add - diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0840260c3 --- /dev/null +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors gcrypt pubkey hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..73167caad --- /dev/null +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..fdfb0003f --- /dev/null +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf index 1461f7933..f365b07da 100755 --- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/ipsec.conf @@ -1,25 +1,24 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 + crlcheckinterval=180 strictcrlpolicy=no charonstart=no + plutodebug=control conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha1-modp1536! - esp=aes128-sha! + keyexchange=ikev1 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! conn rw left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftfirewall=yes right=%any - rightid=carol@strongswan.org auto=add - diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0840260c3 --- /dev/null +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors gcrypt pubkey hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/openssl/ecdsa-certs/posttest.dat b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat index 7cebd7f25..7cebd7f25 100644 --- a/testing/tests/openssl/ecdsa-certs/posttest.dat +++ b/testing/tests/gcrypt-ikev1/rw-cert/posttest.dat diff --git a/testing/tests/openssl/ecdsa-certs/pretest.dat b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat index 42e9d7c24..42e9d7c24 100644 --- a/testing/tests/openssl/ecdsa-certs/pretest.dat +++ b/testing/tests/gcrypt-ikev1/rw-cert/pretest.dat diff --git a/testing/tests/openssl/ecdsa-certs/test.conf b/testing/tests/gcrypt-ikev1/rw-cert/test.conf index 70416826e..70416826e 100644 --- a/testing/tests/openssl/ecdsa-certs/test.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/test.conf diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/description.txt b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt new file mode 100644 index 000000000..b3515c333 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 / +HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as +the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> +in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat new file mode 100644 index 000000000..aad3becc7 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ip xfrm state::enc cbc(camellia)::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..37f8a7ecf --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..70c473005 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf index 072c57c5b..f8d7e3fe9 100755 --- a/testing/tests/ikev2/crl-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -11,23 +11,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org - -conn net-net - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add - -conn host-host - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add - -conn rw leftsubnet=10.1.0.0/16 right=%any auto=add diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..70c473005 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl gcrypt x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat new file mode 100644 index 000000000..3c3df0196 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/alg-camellia/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/crl-strict/test.conf b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf index 2b240d895..2b240d895 100644 --- a/testing/tests/ikev2/crl-strict/test.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/test.conf diff --git a/testing/tests/gcrypt-ikev2/rw-cert/description.txt b/testing/tests/gcrypt-ikev2/rw-cert/description.txt new file mode 100644 index 000000000..f60f5b1ad --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>gcrypt</b> +plugin based on the <b>GNU Libgcrypt</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/rw-cert/evaltest.dat b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat index 06a0f8cda..06a0f8cda 100644 --- a/testing/tests/openssl/rw-cert/evaltest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/evaltest.dat diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf index 4a8baa3ae..4a8baa3ae 100755 --- a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..edb7e40d1 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf index 42f03aab3..42f03aab3 100755 --- a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..f4b6dfdb9 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf index 2e84f2e6a..2e84f2e6a 100755 --- a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..edb7e40d1 --- /dev/null +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors gcrypt x509 pubkey hmac stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat index 7cebd7f25..7cebd7f25 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/posttest.dat diff --git a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat index 42e9d7c24..42e9d7c24 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat +++ b/testing/tests/gcrypt-ikev2/rw-cert/pretest.dat diff --git a/testing/tests/openssl/ike-alg-ecp-high/test.conf b/testing/tests/gcrypt-ikev2/rw-cert/test.conf index 70416826e..70416826e 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/test.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/test.conf diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..304ef99e0 --- /dev/null +++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf index ef63f7262..f1dcd52e9 100644 --- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf index ef63f7262..7133aef00 100644 --- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,15 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink +} + +pluto { + load = curl test-vectors aes des sha1 sha2 md5 gmp random pubkey hmac +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf index ef63f7262..8dcb265b7 100644 --- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf @@ -1,5 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + load = curl aes des sha1 sha2 md5 gmp random pubkey hmac x509 xcbc stroke kernel-netlink +} + +pluto { + load = curl aes des sha1 sha2 md5 gmp random pubkey hmac } diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf index 392a4b51e..d55638907 100755 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf @@ -1,7 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 + plutodebug=control + crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf index e56090f48..94517ecbe 100755 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf @@ -1,7 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 + plutodebug=control + crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt index cff0a1915..7d8f245ab 100644 --- a/testing/tests/ikev1/alg-blowfish/description.txt +++ b/testing/tests/ikev1/alg-blowfish/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and -<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and +<b>BLOWFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat index a2ae3ff6b..fd46cdb9d 100644 --- a/testing/tests/ikev1/alg-blowfish/evaltest.dat +++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat @@ -1,9 +1,9 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES -carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES +moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES +carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES carol::ip xfrm state::enc cbc(blowfish)::YES moon::ip xfrm state::enc cbc(blowfish)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f5401f260 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f5401f260 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-serpent/description.txt b/testing/tests/ikev1/alg-serpent/description.txt deleted file mode 100644 index f49c0a1c0..000000000 --- a/testing/tests/ikev1/alg-serpent/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and -<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat deleted file mode 100644 index ffca0e7a0..000000000 --- a/testing/tests/ikev1/alg-serpent/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES -carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES -carol::ip xfrm state::enc cbc(serpent)::YES -moon::ip xfrm state::enc cbc(serpent)::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES - diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt deleted file mode 100644 index aeb2e1a88..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the syntactically -incorrect cipher suites <b>ike=aes128-sha1-modp1536</b> for the -IKE protocol and <b>esp=aes128-sha</b> for ESP packets. Since <b>sha</b> and -<b>sha1</b> are treated as synonyms the proposal is neverless correctly parsed. -A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat deleted file mode 100644 index c3656c690..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ - -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES - diff --git a/testing/tests/ikev1/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt index 900fcf017..e0af2e2f7 100644 --- a/testing/tests/ikev1/alg-sha2_256/description.txt +++ b/testing/tests/ikev1/alg-sha2_256/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the rather strong cipher suite -<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and -<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_1536</b> for the IKE protocol and +<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat index 42d0099eb..b8a83e0fb 100644 --- a/testing/tests/ikev1/alg-sha2_256/evaltest.dat +++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat @@ -1,10 +1,10 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES +moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES +carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES carol::ip xfrm state::auth hmac(sha256)::YES moon::ip xfrm state::auth hmac(sha256)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-twofish/description.txt b/testing/tests/ikev1/alg-twofish/description.txt deleted file mode 100644 index 0015561ee..000000000 --- a/testing/tests/ikev1/alg-twofish/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and -<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat deleted file mode 100644 index 69e9267c3..000000000 --- a/testing/tests/ikev1/alg-twofish/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES -carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES -carol::ip xfrm state::enc cbc(twofish)::YES -moon::ip xfrm state::enc cbc(twofish)::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES - diff --git a/testing/tests/ikev1/alg-twofish/posttest.dat b/testing/tests/ikev1/alg-twofish/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/alg-twofish/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/alg-twofish/pretest.dat b/testing/tests/ikev1/alg-twofish/pretest.dat deleted file mode 100644 index 7d077c126..000000000 --- a/testing/tests/ikev1/alg-twofish/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf index 5a360543c..343221385 100644 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf @@ -1,3 +1,13 @@ +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + openac { load = sha1 sha2 md5 gmp random x509 pubkey } + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat index 2b98e086a..730614c66 100644 --- a/testing/tests/ikev1/crl-ldap/evaltest.dat +++ b/testing/tests/ikev1/crl-ldap/evaltest.dat @@ -6,8 +6,8 @@ moon::cat /var/log/auth.log::X.509 certificate rejected::YES carol::cat /var/log/auth.log::X.509 certificate rejected::YES moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::Trying LDAP URL::YES -carol::cat /var/log/auth.log::Trying LDAP URL::YES +moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES +carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::cat /var/log/auth.log::written crl file::YES diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 016524dd9..c35a8019e 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -6,5 +6,5 @@ moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES moon::cat /var/log/auth.log::DPD: Restarting connection::YES -moon::sleep 5::no output expected::NO +moon::sleep 10::no output expected::NO moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt index c7918fa38..f8ffce6e6 100644 --- a/testing/tests/ikev1/esp-ah-transport/description.txt +++ b/testing/tests/ikev1/esp-ah-transport/description.txt @@ -1,5 +1,5 @@ In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication. In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall marks all incoming AH packets with the ESP mark. The transport mode connection is tested by <b>carol</b> sending a ping to gateway <b>moon</b>. diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat index 7c498ad83..526e0d96e 100644 --- a/testing/tests/ikev1/esp-ah-transport/evaltest.dat +++ b/testing/tests/ikev1/esp-ah-transport/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES +moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt index 809f28c57..332f8177a 100644 --- a/testing/tests/ikev1/esp-ah-tunnel/description.txt +++ b/testing/tests/ikev1/esp-ah-tunnel/description.txt @@ -1,5 +1,5 @@ In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication. In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall marks all incoming AH packets with the ESP mark. The tunnel mode connection is tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat index 8f4a99641..5103a6318 100644 --- a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat +++ b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES +moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt index fef0ac2dd..0c39352d9 100644 --- a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt +++ b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_256/AES_XCBC_MAC</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> +<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat index f464bda65..872962de4 100644 --- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES -moon::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES +carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES +moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES carol::ip xfrm state::auth xcbc(aes)::YES moon::ip xfrm state::auth xcbc(aes)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-camellia/description.txt b/testing/tests/ikev1/esp-alg-camellia/description.txt index ead39f580..b679d03ec 100644 --- a/testing/tests/ikev1/esp-alg-camellia/description.txt +++ b/testing/tests/ikev1/esp-alg-camellia/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>CAMELLIA_192/HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256-modp2048</b> +<b>CAMELLIA_CBC_192 / HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat index b2871dabd..1b0f3a12b 100644 --- a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::ip xfrm state::enc cbc(camellia)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat index 8e06392f1..57d09a488 100644 --- a/testing/tests/ikev1/esp-alg-des/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-des/evaltest.dat @@ -1,6 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES -carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES +carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES +moon::ip xfrm state::enc cbc(des)::YES +carol::ip xfrm state::enc cbc(des)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat index de2f2a571..8c748a54c 100644 --- a/testing/tests/ikev1/esp-alg-null/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat @@ -1,5 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES -carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES +carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES +moon::ip xfrm state::enc ecb(cipher_null)::YES +carol::ip xfrm state::enc ecb(cipher_null)::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf index b939e4fda..3c9fdbb71 100755 --- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes-128-sha + ike=aes-sha1 esp=null-sha1! conn home diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf index 9ca761cb5..62f17df49 100755 --- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha! + ike=aes-sha1! esp=null-sha1! conn rw diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt index 03c655480..252080e80 100644 --- a/testing/tests/ikev1/esp-alg-strict-fail/description.txt +++ b/testing/tests/ikev1/esp-alg-strict-fail/description.txt @@ -1,5 +1,5 @@ -The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines -<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer, leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces -<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. +<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat index 6f2024ff9..83d99bea1 100644 --- a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat @@ -1,9 +1,9 @@ carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES -carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES -moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO -moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf index f61cfc6bb..21997940b 100755 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha + ike=3des-sha1 esp=3des-sha1 conn home diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf index 5bf53b8bc..14f58ccc3 100755 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha + ike=aes128-sha1 esp=aes128-sha1! conn rw diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt index b4fc08253..149a1e013 100644 --- a/testing/tests/ikev1/esp-alg-strict/description.txt +++ b/testing/tests/ikev1/esp-alg-strict/description.txt @@ -1,7 +1,7 @@ -Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with -SHA-1 authentication) in the first place and <b>AES-128</b> encryption in +Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with +HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines -<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed +<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces -<b>esp=aes-128-sha1!</b> by applying the strict flag '!'. +<b>esp=aes128-sha1!</b> by applying the strict flag '!'. diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat index d5dd12d4e..912a8d830 100644 --- a/testing/tests/ikev1/esp-alg-strict/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-strict/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES -moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES -carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES +moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES +moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES +moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES +carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES +carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf index 0ae6b0693..7e2de30cd 100755 --- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf @@ -11,8 +11,8 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha,aes-128-sha - esp=3des-sha1,aes-128-sha1 + ike=3des-sha,aes128-sha1 + esp=3des-sha1,aes128-sha1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf index 5bf53b8bc..14f58ccc3 100755 --- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha + ike=aes128-sha1 esp=aes128-sha1! conn rw diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt index ffb6882f5..e49b6c620 100644 --- a/testing/tests/ikev1/esp-alg-weak/description.txt +++ b/testing/tests/ikev1/esp-alg-weak/description.txt @@ -1,4 +1,4 @@ -The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication +The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does not use an explicit <b>esp</b> statement any strong encryption algorithm will be accepted but any weak key length will be rejected by default and thus the ISAKMP SA diff --git a/testing/tests/ikev1/ike-alg-sha2_384/description.txt b/testing/tests/ikev1/ike-alg-sha2_384/description.txt index a347a3fed..a0bda209c 100644 --- a/testing/tests/ikev1/ike-alg-sha2_384/description.txt +++ b/testing/tests/ikev1/ike-alg-sha2_384/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>AES_CBC_192-SHA2_384-MODP4096</b> for the IKE protocol and -<b>AES_192-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>AES_CBC_192 / HMAC_SHA2_384 / MODP4096</b> for the IKE protocol and +<b>AES_CBC_192 /HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat index 31959f53a..a4cc39150 100644 --- a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES -carol::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES +carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES +moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES +carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt index 1bec4b8c6..240b8f2b0 100644 --- a/testing/tests/ikev1/ike-alg-sha2_512/description.txt +++ b/testing/tests/ikev1/ike-alg-sha2_512/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite -<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and -<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_8192</b> for the IKE protocol and +<b>AES_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat index dbd35429c..10929457f 100644 --- a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES -moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES -carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES +carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES +moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES +carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt index 03c655480..252080e80 100644 --- a/testing/tests/ikev1/ike-alg-strict-fail/description.txt +++ b/testing/tests/ikev1/ike-alg-strict-fail/description.txt @@ -1,5 +1,5 @@ -The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines -<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer, leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces -<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. +<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat index 931b8855a..0c6bc7f7e 100644 --- a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat @@ -1,5 +1,5 @@ carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES -moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf index cbe5469f0..63ad1c01d 100755 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha + ike=3des-sha1 esp=3des-sha1 conn home diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf index 42e5f8404..1ea5fe7a5 100755 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha! + ike=aes128-sha1! esp=aes128-sha1 conn rw diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt index 35d266e20..af93b95c3 100644 --- a/testing/tests/ikev1/ike-alg-strict/description.txt +++ b/testing/tests/ikev1/ike-alg-strict/description.txt @@ -1,5 +1,5 @@ -The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place -and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA. -The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!', +The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place +and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA. +The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!', but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b> -defines itself <b>esp=aes-128-sha1</b> only. +defines itself <b>esp=aes128-sha1</b> only. diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat index 46140be8a..8acd0d039 100644 --- a/testing/tests/ikev1/ike-alg-strict/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-strict/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES -moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES -carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES +moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES +moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES +moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES +carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES +carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf index b8e2257c4..9272bdc7f 100755 --- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf @@ -11,8 +11,8 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha,aes-128-sha - esp=3des-sha1,aes-128-sha1 + ike=3des-sha1,aes128-sha1 + esp=3des-sha1,aes128-sha1 conn home left=PH_IP_CAROL leftcert=carolCert.pem diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf index 42e5f8404..1ea5fe7a5 100755 --- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha! + ike=aes128-sha1! esp=aes128-sha1 conn rw diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat index 9d60cf7b0..69f77946e 100644 --- a/testing/tests/ikev1/mode-config/evaltest.dat +++ b/testing/tests/ikev1/mode-config/evaltest.dat @@ -1,4 +1,6 @@ carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES +carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES +carol::cat /var/log/auth.log::received IPv6 DNS server address fec1\:\:20::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3e950c81d --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl + dns1 = PH_IP_WINNETOU + dns2 = PH_IP6_VENUS +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat index f504706e2..9cfa502aa 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat @@ -2,7 +2,7 @@ moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::Trying LDAP URL::YES +moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat index 9bd85ba12..c2612167a 100644 --- a/testing/tests/ikev1/no-priv-key/evaltest.dat +++ b/testing/tests/ikev1/no-priv-key/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES -moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES +carol::cat /var/log/auth.log::unable to locate my private key::YES +carol::cat /var/log/auth.log::empty ISAKMP SA proposal to send::YES moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat index 759295675..b266d86d8 100644 --- a/testing/tests/ikev1/protoport-route/evaltest.dat +++ b/testing/tests/ikev1/protoport-route/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES -carol::ping -c 2 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES carol::ssh PH_IP_ALICE hostname::alice::YES carol::cat /var/log/auth.log::initiate on demand::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat index f233ad48f..b1fc81827 100644 --- a/testing/tests/ikev1/protoport-route/pretest.dat +++ b/testing/tests/ikev1/protoport-route/pretest.dat @@ -2,5 +2,7 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null moon::ipsec start carol::ipsec start +carol::sleep 1 +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname +carol::ping -c 1 PH_IP_ALICE > /dev/null carol::sleep 2 -carol::ssh PH_IP_ALICE hostname diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..304ef99e0 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..304ef99e0 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat index 9e1354121..5ab6632cc 100644 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat @@ -2,6 +2,6 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::cat /var/log/auth.log::peer requests PSK authentication::YES moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat index 188b7bbb5..849ae5d66 100644 --- a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat +++ b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat @@ -1,5 +1,5 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES -moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES +moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt index 24a4afe57..cce0e1cd6 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/description.txt +++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> +<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat index 853746cd4..5217c18df 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat @@ -1,9 +1,9 @@ moon::ipsec statusall::rw.*INSTALLED::YES carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES -carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES -moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES -carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES +moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES +carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES moon::ip xfrm state::auth xcbc(aes)::YES carol::ip xfrm state::auth xcbc(aes)::YES carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/alg-blowfish/description.txt b/testing/tests/ikev2/alg-blowfish/description.txt new file mode 100644 index 000000000..24b50b909 --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP +encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat new file mode 100644 index 000000000..a1f9f6a8e --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat @@ -0,0 +1,16 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES +carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES +carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES +dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES +dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a78724926 --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="cfg 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish256-sha512-modp2048! + esp=blowfish192-sha256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e9829d508 --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + dh_exponent_ansi_x9_42 = no + load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..26f3f3a04 --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish128-sha256-modp1536! + esp=blowfish128-sha1! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..e9829d508 --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + dh_exponent_ansi_x9_42 = no + load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..5183e26d2 --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="cfg 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! + esp=blowfish192-sha256,blowfish128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e9829d508 --- /dev/null +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + dh_exponent_ansi_x9_42 = no + load = aes des blowfish md5 sha1 sha2 gmp curl random x509 pubkey hmac stroke kernel-netlink updown +} diff --git a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat index 7cebd7f25..7cebd7f25 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat +++ b/testing/tests/ikev2/alg-blowfish/posttest.dat diff --git a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat index 42e9d7c24..42e9d7c24 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat +++ b/testing/tests/ikev2/alg-blowfish/pretest.dat diff --git a/testing/tests/openssl/ike-alg-ecp-low/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf index 70416826e..70416826e 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/test.conf +++ b/testing/tests/ikev2/alg-blowfish/test.conf diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf index ef63f7262..66a6137cb 100644 --- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink + multiple_authentication = no } diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf index 40eb84b8a..ae5e4f72b 100644 --- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf } diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf index 40eb84b8a..ae5e4f72b 100644 --- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown resolv-conf } diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf index 9068f9dcf..a6036a5da 100644 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown attr dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 2242746db..62ed8676a 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,5 +1,4 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/crl-strict/description.txt b/testing/tests/ikev2/crl-strict/description.txt deleted file mode 100644 index b2b70906f..000000000 --- a/testing/tests/ikev2/crl-strict/description.txt +++ /dev/null @@ -1,2 +0,0 @@ -By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. diff --git a/testing/tests/ikev2/crl-strict/evaltest.dat b/testing/tests/ikev2/crl-strict/evaltest.dat deleted file mode 100644 index ac70750c5..000000000 --- a/testing/tests/ikev2/crl-strict/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -moon::ipsec listcrls:: ok::YES -carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev2/crl-strict/posttest.dat b/testing/tests/ikev2/crl-strict/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev2/crl-strict/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev2/crl-strict/pretest.dat b/testing/tests/ikev2/crl-strict/pretest.dat deleted file mode 100644 index 8984dcbcf..000000000 --- a/testing/tests/ikev2/crl-strict/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 1 -carol::ipsec up home diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat index 00489436e..afc8f67e4 100644 --- a/testing/tests/ikev2/crl-to-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat @@ -1,4 +1,4 @@ moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES -carol::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +moon::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf index 40eb84b8a..6cb8c1369 100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown } + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf index 40eb84b8a..6cb8c1369 100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown } + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt index cb08a9312..9fe03b010 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt +++ b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_CCM_12-128</b> by defining <b>esp=aes128gcm12-modp2048</b> or alternatively -<b>esp=aes128gcm96-modp2048</b> in ipsec.conf. +<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively +<b>esp=aes128ccm96-modp2048</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat index dc5032133..9a1c6b8e9 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat @@ -1,5 +1,5 @@ moon::ipsec statusall::rw.*INSTALLED::YES carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::AES_CCM_12-128::YES -carol::ipsec statusall::AES_CCM_12-128::YES +moon::ipsec statusall::AES_CCM_12_128::YES +carol::ipsec statusall::AES_CCM_12_128::YES carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt index 721f3c64b..bd9521e0d 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt +++ b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_GCM_16-256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively +<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively <b>esp=aes256gcm128-modp2048</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat index 8f007b900..12a2dab3c 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat @@ -1,5 +1,5 @@ moon::ipsec statusall::rw.*INSTALLED::YES carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::AES_GCM_16-256::YES -carol::ipsec statusall::AES_GCM_16-256::YES +moon::ipsec statusall::AES_GCM_16_256::YES +carol::ipsec statusall::AES_GCM_16_256::YES carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-camellia/description.txt b/testing/tests/ikev2/esp-alg-camellia/description.txt new file mode 100644 index 000000000..e79bc4f87 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/description.txt @@ -0,0 +1,3 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-camellia/evaltest.dat b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat new file mode 100644 index 000000000..a8a78e25b --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ip xfrm state::enc cbc(camellia)::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..74562cd3c --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha1-modp2048! + esp=camellia192-sha1! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf index 40eb84b8a..40eb84b8a 100644 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a9ce15802 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha1-modp2048! + esp=camellia192-sha1! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf index 40eb84b8a..40eb84b8a 100644 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-camellia/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/esp-alg-camellia/posttest.dat b/testing/tests/ikev2/esp-alg-camellia/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-camellia/pretest.dat b/testing/tests/ikev2/esp-alg-camellia/pretest.dat new file mode 100644 index 000000000..3c3df0196 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-camellia/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/alg-twofish/test.conf b/testing/tests/ikev2/esp-alg-camellia/test.conf index a6c8f026c..2b240d895 100644 --- a/testing/tests/ikev1/alg-twofish/test.conf +++ b/testing/tests/ikev2/esp-alg-camellia/test.conf @@ -19,4 +19,3 @@ TCPDUMPHOSTS="" # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev2/esp-alg-null/description.txt b/testing/tests/ikev2/esp-alg-null/description.txt index 3f1b35e6c..8fd203098 100644 --- a/testing/tests/ikev2/esp-alg-null/description.txt +++ b/testing/tests/ikev2/esp-alg-null/description.txt @@ -1,3 +1,3 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>NULL/HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf. +<b>NULL / HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt new file mode 100644 index 000000000..3641d09ff --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b> +using multiple authentication exchanges (RFC 4739). In a first round +both <b>carol</b> and <b>moon</b> authenticate themselves by sending +an IKEv2 <b>RSA signature</b> accompanied by a certificate. +<p> +In a second round <b>carol</b> then uses the <i>Extensible Authentication Protocol</i> +in association with a <i>GSM Subscriber Identity Module</i> (<b>EAP-SIM</b>) to +authenticate herself against the remote RADIUS server <b>alice</b>. +In this scenario, triplets from the file <b>/etc/ipsec.d/triplets.dat</b> +are used instead of a physical SIM card on the client <b>carol</b>. +The gateway forwards all EAP messages to the RADIUS server <b>alice</b> +which also uses a static triplets file. +<p> +The roadwarrior <b>dave</b> also uses multiple authentication and succeeds +in the first round but sends wrong EAP-SIM triplets in the second round. +As a consequence the radius server <b>alice</b> returns an <b>Access-Reject</b> +message and the gateway <b>moon</b> sends back an <b>EAP_FAILURE</b>. diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat new file mode 100644 index 000000000..d64b3da7d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -0,0 +1,21 @@ +moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES +moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES +moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES +dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES +moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES +moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES +moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..a2020424e --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..d77b818fe --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,123 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf + sim_files { + simtriplets = "/etc/raddb/triplets.dat" + } +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..dfceb037d --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,62 @@ +authorize { + preprocess + chap + mschap + sim_files + suffix + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat new file mode 100644 index 000000000..002ee94d1 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat @@ -0,0 +1,7 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB +228060123456002,33000000000000000000000000000000,33112233,335566778899AABB +228060123456002,34000000000000000000000000000000,34112233,345566778899AABB +228060123456002,35000000000000000000000000000000,35112233,355566778899AABB + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..26cc0cd92 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftauth=pubkey + leftid=carol@strongswan.org + leftcert=carolCert.pem + leftauth2=eap + leftid2=228060123456001@strongswan.org + eap_identity=228060123456001 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightauth=pubkey + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..c167ba940 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..6a2aea811 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index d46082bdd..cc451fc8d 100644 --- a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..f8c52be78 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=eap + +conn home + left=PH_IP_DAVE + leftfirewall=yes + leftauth=pubkey + leftid=dave@strongswan.org + leftcert=daveCert.pem + leftauth2=eap + leftid2=228060123456002@strongswan.org + eap_identity=228060123456002 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightauth=pubkey + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..b8b86c875 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +228060123456002,33000000000000000000000000000000,33112244,335566778899AABB +228060123456002,34000000000000000000000000000000,34112244,345566778899AABB +228060123456002,35000000000000000000000000000000,35112244,355566778899AABB diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..9031f323a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 40eb84b8a..cc451fc8d 100644 --- a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..37d23b1f5 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-mult + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + leftauth=pubkey + leftid=@moon.strongswan.org + leftcert=moonCert.pem + right=%any + rightauth=pubkey + rightid=*@strongswan.org + rightauth2=eap-radius + eap_identity=%any + auto=add diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..10414b29a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown + plugins { + eap_radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat new file mode 100644 index 000000000..dbe56013a --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat new file mode 100644 index 000000000..b3fd4cbf1 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::cat /etc/raddb/clients.conf +alice::cat /etc/raddb/eap.conf +alice::cat /etc/raddb/proxy.conf +alice::cat /etc/raddb/triplets.dat +alice::/etc/init.d/radiusd start +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/openssl/rw-cert/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf index 70416826e..70416826e 100644 --- a/testing/tests/openssl/rw-cert/test.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt index 0ace25731..602d026c2 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/description.txt +++ b/testing/tests/ikev2/multi-level-ca-cr-init/description.txt @@ -1,8 +1,6 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The hosts <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess copies of the Research and Sales CA certificates and must therefore request them from -the initiators <b>carol</b> and <b>dave</b>, respectively. +the responders <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf index 12f0c95bf..4c84d183b 100755 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf @@ -25,12 +25,12 @@ conn alice leftsubnet=PH_IP_ALICE/32 right=PH_IP_CAROL rightid=carol@strongswan.org - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add conn venus leftsubnet=PH_IP_VENUS/32 right=PH_IP_DAVE rightid=dave@strongswan.org - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt index b26c8c5d0..06f9f6b91 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/description.txt @@ -1,8 +1,6 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess copies of the Research and Sales CA certificates and must therefore request them from -the initiators <b>carol</b> and <b>dave</b>. +the initiators <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat index d2453bbee..4b827b4dd 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat @@ -7,6 +7,6 @@ moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::alice.*INSTALLED::YES dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec status::venus.*INSTALLED::YES diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf index d0240a333..75138581e 100755 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf @@ -24,11 +24,11 @@ conn %default conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat index 8656c8e3a..4a1c7208b 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat @@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon::cat /var/log/daemon.log::switching to peer config.*venus::YES dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat index c60f722ec..0b7b02801 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat @@ -1,4 +1,4 @@ moon::cat /var/log/daemon.log::maximum ca path length of 7 levels reached::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ipsec status::alice.*INSTALLED::NO moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat index 3ac0adbb5..182f9e0fc 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat @@ -1,5 +1,4 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::alice.*ESTABLISHED::NO carol::ipsec status::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-strict/description.txt b/testing/tests/ikev2/multi-level-ca-strict/description.txt index 86cbbc58b..6467d5222 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/description.txt +++ b/testing/tests/ikev2/multi-level-ca-strict/description.txt @@ -2,6 +2,6 @@ By setting <b>strictcrlpolicy=yes</b>, a <b>strict CRL policy</b> is enforced on all peers. The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and <b>venus</b> to anyone presenting a certificate belonging to a trust -chain anchored in strongSwan Root CA. Therefore both road warriors +chain anchored in the strongSwan Root CA. Therefore both road warriors <b>carol</b> and <b>dave</b>, holding certificates from the Research CA and Sales CA, respectively, can reach both <b>alice</b> and <b>venus</b>. diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index 8ba69ff9b..b0814556d 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -8,11 +8,12 @@ carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon::cat /var/log/daemon.log::switching to peer config.*venus::YES dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf index 20c58007c..454aed12c 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf index 20c58007c..454aed12c 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf index 40eb84b8a..4731a81d2 100644 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + multiple_authentication = no } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index 939817d58..a0a045ce8 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,6 +1,7 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES moon::cat /var/log/daemon.log::ocsp response verification failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index 9f20ee81c..2e0f059c6 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES moon::cat /var/log/daemon.log::libcurl http request failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::NO carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index b47403756..45c6ce7c5 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -2,6 +2,6 @@ moon::cat /var/log/daemon.log::requesting ocsp status from::YES moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES moon::cat /var/log/daemon.log::ocsp response verification failed::YES moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES +moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat index 7ce2bf147..7f083a05e 100644 --- a/testing/tests/ikev2/reauth-late/evaltest.dat +++ b/testing/tests/ikev2/reauth-late/evaltest.dat @@ -1,7 +1,7 @@ moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES carol::ipsec statusall::home\[2\].*ESTABLISHED::YES -carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, scheduling reauthentication in 3595s::YES carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES +carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 3600s, reauthentication already scheduled in 2[0-5]s::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 40eb84b8a..de122acff 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 40eb84b8a..de122acff 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 40eb84b8a..de122acff 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat index d5cbbdbf7..661e6cfe7 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat @@ -1,6 +1,7 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::using EAP identity.*carol::YES +moon::cat /var/log/daemon.log::received EAP identity.*carol::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf index 8cffbe3b3..22bba57a7 100755 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf @@ -9,15 +9,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftfirewall=yes + leftauth=eap eap_identity=carol right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf index b239e7718..16171feb3 100755 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf @@ -12,15 +12,15 @@ conn %default keyexchange=ikev2 conn rw-eap - authby=rsasig - eap=aka - eap_identity=%identity left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes + right=%any rightid=*@strongswan.org rightsendcert=never - right=%any + rightauth=eap-aka + eap_identity=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat index 5de841c03..e12643ef7 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat @@ -1,4 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf index 2af93a313..ba9294f6a 100755 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL leftnexthop=%direct leftid=carol@strongswan.org + leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf index 140e88912..459414516 100755 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf @@ -12,14 +12,14 @@ conn %default keyexchange=ikev2 conn rw-eapaka - authby=rsasig - eap=aka left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes + right=%any rightid=*@strongswan.org rightsendcert=never - right=%any + rightauth=eap-aka auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat index 6c73054d7..2ee440cdb 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::using EAP identity .*carol"::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf index 8cffbe3b3..5f779d1af 100755 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf @@ -9,15 +9,16 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL leftnexthop=%direct leftid=carol@strongswan.org + leftauth=eap leftfirewall=yes eap_identity=carol right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf index 08b920afd..11ff84400 100755 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf @@ -12,15 +12,15 @@ conn %default keyexchange=ikev2 conn rw-eap - authby=rsasig - eap=radius - eap_identity=%identity left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes rightid=*@strongswan.org rightsendcert=never + rightauth=eap-radius + eap_identity=%any right=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat index 444362a86..5e8dce9cf 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat @@ -1,5 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf index 2af93a313..ba9294f6a 100755 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL leftnexthop=%direct leftid=carol@strongswan.org + leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf index 825994278..4a885babc 100755 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf @@ -12,14 +12,14 @@ conn %default keyexchange=ikev2 conn rw-eap - authby=rsasig - eap=radius left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes rightid=*@strongswan.org + rightauth=eap-radius rightsendcert=never right=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf index 2af93a313..ba9294f6a 100755 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL leftnexthop=%direct leftid=carol@strongswan.org + leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf index 7777e914b..28d52b9eb 100755 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf @@ -12,14 +12,14 @@ conn %default keyexchange=ikev2 conn rw-eap - authby=rsasig - eap=md5 left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes rightid=*@strongswan.org + rightauth=eap-md5 rightsendcert=never right=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat index d8708d122..5b632bfe8 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -1,7 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::using EAP identity.*carol::YES -moon::cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon::cat /var/log/daemon.log::received EAP identity.*carol::YES +moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf index ec09a3375..c1497ca0e 100755 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf @@ -9,14 +9,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL - leftnexthop=%direct leftfirewall=yes + leftauth=eap eap_identity=carol right=PH_IP_MOON + rightauth=pubkey rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf index 57a89966a..a4a45f06c 100755 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf @@ -12,15 +12,14 @@ conn %default keyexchange=ikev2 conn rw-eap - authby=rsasig - eap=mschapv2 - eap_identity=%identity left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes - rightid=%any - rightsendcert=never right=%any + rightauth=eap-mschapv2 + rightsendcert=never + eap_identity=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt index 887d3f467..0531a559f 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/description.txt @@ -9,5 +9,5 @@ are used instead of a physical SIM card on the client <b>carol</b> and the gateway forwards all EAP messages to the RADIUS server <b>alice</b> which also uses static triplets. In addition to her IKEv2 identity <b>carol@strongswan.org</b>, roadwarrior <b>carol</b> uses the EAP -identity <b>232420100000015</b>. +identity <b>228060123456001</b>. diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat index 4e7cbcc4c..4305a1400 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat @@ -1,6 +1,6 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::using EAP identity .*232420100000015::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES +moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat index 2a750029f..c167ba940 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat @@ -1,3 +1,3 @@ -232420100000015,30000000000000000000000000000000,30112233,305566778899AABB -232420100000015,31000000000000000000000000000000,31112233,315566778899AABB -232420100000015,32000000000000000000000000000000,32112233,325566778899AABB +228060123456001,30000000000000000000000000000000,30112233,305566778899AABB +228060123456001,31000000000000000000000000000000,31112233,315566778899AABB +228060123456001,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf index 404589348..d3a99fe41 100755 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf @@ -9,15 +9,16 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL leftnexthop=%direct leftid=carol@strongswan.org leftfirewall=yes - eap_identity=232420100000015 + leftauth=eap + eap_identity=228060123456001 right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf index 08b920afd..a86bb3d73 100755 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf @@ -12,15 +12,15 @@ conn %default keyexchange=ikev2 conn rw-eap - authby=rsasig - eap=radius - eap_identity=%identity left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes rightid=*@strongswan.org + rightauth=eap-radius + eap_identity=%any rightsendcert=never right=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index cd4b43cca..5fae7ecd5 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -1,5 +1,5 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::EAP server requested EAP_SIM authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES @@ -8,7 +8,7 @@ carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::cat /var/log/daemon.log::received Access-Reject from RADIUS server::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave::ipsec statusall::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf index 2af93a313..ba9294f6a 100755 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf @@ -9,14 +9,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL leftnexthop=%direct leftid=carol@strongswan.org + leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf index 509deb945..53ecb4d70 100755 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf @@ -12,14 +12,14 @@ conn %default keyexchange=ikev2 conn rw-eapsim - authby=rsasig - eap=sim left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftcert=moonCert.pem + leftauth=pubkey leftfirewall=yes rightid=*@strongswan.org + rightauth=eap-sim right=%any rightsendcert=never auto=add diff --git a/testing/tests/ikev2/two-certs/description.txt b/testing/tests/ikev2/two-certs/description.txt index 46ca8fec1..94ffaa487 100644 --- a/testing/tests/ikev2/two-certs/description.txt +++ b/testing/tests/ikev2/two-certs/description.txt @@ -1,6 +1,7 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each -to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. -Gateway <b>moon</b> has already loaded a revoked certificate for <b>carol</b> -and a self-signed certificate for <b>dave</b> locally but gets actual certificates -as CERT payloads from both peers. The RSA signature verification process tries all -candidate peer certificates until it finds a valid one with a matching public key. +The roadwarrior <b>carol</b> possesses two different X.509 certificates plus +matching RSA private keys. With the first certificate <b>carol</b> authenticates +a tunnel connection to gateway <b>moon</b> in order to reach client <b>alice</b> +and presents the second certificate in order to reach client <b>venus</b> using +the identity <b>carol@strongswan.org</b> for both IKE security associations. +Therefore the RSA signature verification process on <b>moon</b> tries all +candidate peer certificates until it finds the correct RSA public key. diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 0598e1fb2..d32e32660 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,15 +1,12 @@ -moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES -moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES -moon::ipsec statusall::carol.*ESTABLISHED::YES -moon::ipsec statusall::dave.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES +moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES +moon::ipsec statusall::alice.*INSTALLED::YES +carol::ipsec statusall::alice.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES +moon::ipsec statusall::venus.*INSTALLED::YES +carol::ipsec statusall::venus.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index bcdb8641b..9129f160b 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,7 +2,7 @@ config setup crlcheckinterval=180 - strictcrlpolicy=no + strictcrlpolicy=yes plutostart=no conn %default @@ -10,14 +10,20 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - -conn home + keyexchange=ikev2 left=PH_IP_CAROL - leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 + +conn alice + leftcert=carolCert.pem + rightsubnet=10.1.0.10/32 + auto=add + +conn venus + leftcert=carolCert-002.pem + rightsubnet=10.1.0.20/32 auto=add + diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem new file mode 100644 index 000000000..4ebebba5a --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/certs/carolCert-002.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEMDCCAxigAwIBAgIBFTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA5MDQwNzEyMDExN1oXDTE0MDQwNjEyMDExN1owaDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMQwwCgYDVQQFEwMwMDIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3Jn +MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtXtFcjNbEEK76mVv1j3c +6YWBeunBl7V9Qf1bPpzwTTUIKFDkg6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH +8DKE1MaBOgvnW01vh2p1j8jW3VXSwBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1 +XaJSGAvwG3Jap9/gChClAv65zg34mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3n +hgxJ7+3q9vX+z5EqUQB59WBzVz7fU9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq9 +0k/+Z3gKIHbi6YIoIXDs7bOSaw8myvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/ +rQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYE +FABqD2vvGFgP2xX2Qqjx26Mz1RR5MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl +4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25n +U3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaB +FGNhcm9sQHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9j +cmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAGuatpu8jxc22Iqglx5UIa8fkNSjfyLgO0RugCB+kPPilGttGWly+raLggQM +Hu1qdt4l0cj60pe03Dc4GuUwJCW9J4ntVvCp1/SLcifvd3pMTtlrdSMpj105L5ma +/nVksJ7UZPzcBLMq/8FtEg68H2WM+ixrmlm2cZiFDytMODEuAPCwWHOSP4WJNDzS +KKc95ONxwTsD1VDm/ShcKw083XgvT7oHoei2RRDYp70CkatWOOJ7eMxdKdICl8nu +9RlBLG8CJqcy7cJ4V7GOk6EOtGpGL/GR2gpLpvUnmWP9MUHYu8rVTzKQdW9A2Wjx +fmSZH0LzbAm+7XFrP71rBSJUaUI= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem new file mode 100644 index 000000000..aec8e7a33 --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.d/private/carolKey-002.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAtXtFcjNbEEK76mVv1j3c6YWBeunBl7V9Qf1bPpzwTTUIKFDk +g6HtWaNa7fxhTtHlPFHH8hdgiEZTQt626GoH8DKE1MaBOgvnW01vh2p1j8jW3VXS +wBWBCM9vNnaxGic94Qiix6z+cAulCo1pzyY1XaJSGAvwG3Jap9/gChClAv65zg34 +mLWZpcXddUGoaOMu3JaRgVaNEiY4wGweMM3nhgxJ7+3q9vX+z5EqUQB59WBzVz7f +U9FygLgfeAD1McrvMQOjo/PtkpEBOJipnjq90k/+Z3gKIHbi6YIoIXDs7bOSaw8m +yvD5Bi4vNr5tKPr7bdLBU+AyAzRlJWV4GBw/rQIDAQABAoIBAFekBUCGPobWw2sJ +u32J+IIpgAL8mgoKkkfo80SEg6O1ZZAaqJBNBZNRSRs+0zs+L+b2U4m88lg9Jf5Y +EZqhgd3kd7NNfaCrmPnFpoONzOI4ClNvG8y5VcwMaNezcAmCQ+bFxd6J04IGjZhP +/HYWLJVgSybjtPt8OP1zJv2VVirgSb1rHOzI9j1CsaIl6m1gcXU2hA3A2/BIOd6Y +UgCxJKu8G7NsmW14TSbJshcI1tUFOfbxFlAhmeAD57Kw6eC2GVwuBhghAYCNbpx0 +TYcQeTsBUjubna30K7+8lU1uiblKNLDqAzWynHz8xm1QEo0Z7txP9RRJUZDzlpmx +u9iCMp0CgYEA6ZSexI3igJ68bdTOBwdbFtA9wqUTbYj6MULfUkFwqGLswLpNhhGv +Y9X8YHUjcWEEoLXZb9QftmQc1R/nFCWC2slBBrKw9oERUUVYoczNpbkqJI1fjVfJ +lNFgPXqQlRGIgSzSZr0CdBVs2VZKp19izQRQQI8d3ATD+Q4503dorgMCgYEAxuaC +jow+vgcNt0DxlVWiV9rYGR7sDPJhdDyWgZ+yfaG0lVaX/81cEVxalUKTGHeHrhFs +tIrZbRaIo9+XINzqCBNqfgauAZRFCvDv/BQPoGW+XKe+nH7DcC5PH8lcH6k1uGlq +1KaRPymLRF8/PMmQ92o5Gk6H+Ah523hOJSv5BI8CgYBXH91cmUO8D/leyjqS+pZq +WwA+Yw5tE+Omjjf4WXppBIUkmhkigeQ2y/FYFTlEKBjuzQWupaOyh4MNp9msdRVr +ABhmJC7Hs3q/IqudpmOqhfeHLMhQU0dYYASSye21/JU7AXn1YljQ7dDs/DfaWETl +Dc/VVMyhbZGfi0PccbS0+wKBgQC686+DjQ7sTnT16nUoiHUvXuP/uLDm+mvfdZOC +AzkiHPw/4kS8i6oeJ1B9OzZHqRI+6uHiUSBNCQEmBuNmYD8ZmCZgjqa/lT3QKudn +aPPHL9rd/E2NixjoOJ7mob2VhNaZn3xqpKWhWMsuWNh3qn44D//cWjQzTsQ7JblN +9yb4wQKBgQCUs7wKhD/c45ST7bWH3C/iXBXsUwJrVPLKrCxl5vzkKTiDevMDVndo +/jRAVk5UQEGO+R2eaqsgEujsS+ypGG1EWAdDyQ/6v8/34I7UF/bh5lZYOh1dXr6F +PIROdfotGWYq2ituq1IbJMKFwhZLM7CRqnr0qsb9UaZeeuhqB3PAKQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..2181f94ce --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +: RSA carolKey-002.pem diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf index 8800c7ad5..a93ccbc9a 100755 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf @@ -3,8 +3,14 @@ config setup crlcheckinterval=180 strictcrlpolicy=yes + uniqueids=no plutostart=no +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + conn %default ikelifetime=60m keylife=20m @@ -13,19 +19,16 @@ conn %default left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + rightid=carol@strongswan.org keyexchange=ikev2 -conn carol - rightid=carol@strongswan.org - rightcert=carolRevokedCert.pem +conn alice + leftsubnet=10.1.0.10/32 auto=add -conn dave - rightid=dave@strongswan.org - rightcert=daveCert.der - rightca=%any +conn venus + leftsubnet=10.1.0.20/32 auto=add diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem deleted file mode 100644 index 5b742fc9e..000000000 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/carolRevokedCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV -mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo -5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv -VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN -IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 -K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 -OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB -56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM -2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q -O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL -LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 -wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N -9IcgYi5x ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der Binary files differdeleted file mode 100644 index 6c4f37c27..000000000 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.d/certs/daveCert.der +++ /dev/null diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat index 195065a5f..a1f067838 100644 --- a/testing/tests/ikev2/two-certs/posttest.dat +++ b/testing/tests/ikev2/two-certs/posttest.dat @@ -1,7 +1,6 @@ moon::ipsec stop carol::ipsec stop -dave::ipsec stop moon::/etc/init.d/iptables stop 2> /dev/null carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat index 42e9d7c24..716cf71e8 100644 --- a/testing/tests/ikev2/two-certs/pretest.dat +++ b/testing/tests/ikev2/two-certs/pretest.dat @@ -1,9 +1,8 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null moon::ipsec start carol::ipsec start -dave::ipsec start carol::sleep 1 -carol::ipsec up home -dave::ipsec up home +carol::ipsec up alice +carol::ipsec up venus +carol::sleep 1 diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf index 70416826e..d0306cd25 100644 --- a/testing/tests/ikev2/two-certs/test.conf +++ b/testing/tests/ikev2/two-certs/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +UMLHOSTS="alice venus moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c-w-d.png" +DIAGRAM="a-v-m-c-w-d.png" # UML instances on which tcpdump is to be started # @@ -18,4 +18,4 @@ TCPDUMPHOSTS="moon" # UML instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol dave" +IPSECHOSTS="moon carol" diff --git a/testing/tests/openssl/ike-alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt index b8efbe87e..b8efbe87e 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat new file mode 100644 index 000000000..6a6802780 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/evaltest.dat @@ -0,0 +1,13 @@ +moon::cat /var/log/auth.log::ECP_256.*refused due to strict flag::YES +moon::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/ECP_384::YES +dave::ipsec statusall::IPsec SA established::YES +dave::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/ECP_521::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..432fa52ea --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes192-sha384-ecp256,aes192-sha384-ecp384! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9836736c3 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..28304eb41 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-ecp256,aes256-sha512-ecp521! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c4211619b --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d6737f6e0 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes192-sha384-ecp384,aes256-sha512-ecp521! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9836736c3 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl/rw-cert/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat index 7cebd7f25..7cebd7f25 100644 --- a/testing/tests/openssl/rw-cert/posttest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/posttest.dat diff --git a/testing/tests/openssl/rw-cert/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat index 42e9d7c24..42e9d7c24 100644 --- a/testing/tests/openssl/rw-cert/pretest.dat +++ b/testing/tests/openssl-ikev1/alg-ecp-high/pretest.dat diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/test.conf b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-high/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/ike-alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt index 4f043e7d9..4f043e7d9 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat new file mode 100644 index 000000000..3c5ae4138 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/evaltest.dat @@ -0,0 +1,13 @@ +moon::cat /var/log/auth.log::ECP_192.*refused due to strict flag::YES +moon::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_224::YES +dave::ipsec statusall::IPsec SA established::YES +dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/ECP_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5a4d82699 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes128-sha256-ecp192,aes128-sha256-ecp224! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..668998653 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..ac828c182 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes128-sha256-ecp192,aes128-sha256-ecp256! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c4211619b --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..870271c87 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes128-sha256-ecp224,aes128-sha256-ecp256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..668998653 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/test.conf b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev1/alg-ecp-low/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt index 2c098d898..2c098d898 100644 --- a/testing/tests/openssl/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat new file mode 100644 index 000000000..2aea10135 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/evaltest.dat @@ -0,0 +1,15 @@ +moon::cat /var/log/auth.log::ECDSA-256 signature check passed::YES +moon::cat /var/log/auth.log::ECDSA-384 signature check passed::YES +carol::cat /var/log/auth.log::ECDSA-256 signature check passed::YES +dave::cat /var/log/auth.log::ECDSA-384 signature check passed::YES +moon::ipsec statusall::carol.*IPsec SA established::YES +moon::ipsec statusall::dave.*IPsec SA established::YES +carol::ipsec statusall::home.*IPsec SA established::YES +dave::ipsec statusall::home.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b0b6ff738 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem index 3480a434a..3480a434a 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 29709926a..29709926a 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem index 5f21c1012..5f21c1012 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets index 4e53ef91a..4e53ef91a 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..9836736c3 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..23813b20b --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem index 3480a434a..3480a434a 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 075d8f1e5..075d8f1e5 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem index f628f88e5..f628f88e5 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets index ebd3a2839..ebd3a2839 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c4211619b --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = aes des sha1 sha2 md5 gmp openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f22a4ac4c --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + plutodebug=control + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn carol + also=moon + leftcert=moon_ec256_Cert.pem + rightid=carol@strongswan.org + auto=add + +conn dave + also=moon + leftcert=moon_ec384_Cert.pem + rightid=dave@strongswan.org + auto=add + +conn moon + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem index 3480a434a..3480a434a 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem new file mode 100644 index 000000000..d5e61558e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec256_Cert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7DCCAk+gAwIBAgIBBTAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDkwNjEyMTYwNjMzWhcNMTQwNjExMTYwNjMzWjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +MjU2IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzBZMBMGByqGSM49 +AgEGCCqGSM49AwEHA0IABIU/UvJ7ro2AYsFWXZKH9K4FD9O5kNfi3/H3+10kAy6s +eQUab8qaAhTahBHuywzanVTiJPK5caQSvnpt+z1RJDqjggETMIIBDzAJBgNVHRME +AjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUq1PybZZ+RZuJICuoDUhXdLy/iacw +eAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgxCzAJBgNVBAYT +AkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdT +d2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAeBgNVHREEFzAVghNtb29uLnN0cm9u +Z3N3YW4ub3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuc3Ryb25nc3dh +bi5vcmcvc3Ryb25nc3dhbl9lYy5jcmwwCQYHKoZIzj0EAQOBiwAwgYcCQWYZnZLl +iimVcAs5p7SXpHmcnlIX9C4EFzNtY+zoDfPM9Qx/vGY2hKa65tyhepn5RFyNqH6d +slr5EBqoT5Vt86kJAkIAx/dyiLLqT0+lJiyxjLQuAaLRWHwlgq7jaUhoQusxno62 +dIfe0U1QjgumA+zXoAnbLBF3KnnrKvHByv7ejeH0Ys4= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem new file mode 100644 index 000000000..45224b09b --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moon_ec384_Cert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCjCCAmygAwIBAgIBBjAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDkwNjEyMTYwNzA2WhcNMTQwNjExMTYwNzA2WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +Mzg0IGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABK4TajAd1pgzhJJsmyjw1Zb/CdEe0eWKmEyP1OjmwRwS37Tx +3wV9C9ZzCYBsJlvbH53kyeZYoAojUL5sXDVBq8qu23jSjBCesypSiNt/8akt+4bg +a4qMN2zutd/U1fC5C6OCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G +A1UdDgQWBBT43sZUBjwcO+QW4PXk7KoOxxkm3jB4BgNVHSMEcTBvgBS6XflxthO1 +atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai +dX4i76aJMB4GA1UdEQQXMBWCE21vb24uc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw +MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj +LmNybDAJBgcqhkjOPQQBA4GMADCBiAJCAUfrzEnQUA0dqpo9I2YaFh3Y+QnFosTg +b46jcbxm/LbIeWDxwU2HK3Qfo+tGsXJnh73lKo8B0o+OsXt4gP+GQutCAkIBu7Aw +0iUx8d84SqHiBZBDIk/X6NV62YZXVhO9rPON0r/kdmeZ8OvPD53JgE64irFf6Wp+ +3ictLD61ItW0nxNHlcE= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem new file mode 100644 index 000000000..66b6315f9 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec256_Key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIE+rz/5axOOEvTVs9nnmKyF1v/rgmdIvam+BfSSS1SGpoAoGCCqGSM49 +AwEHoUQDQgAEhT9S8nuujYBiwVZdkof0rgUP07mQ1+Lf8ff7XSQDLqx5BRpvypoC +FNqEEe7LDNqdVOIk8rlxpBK+em37PVEkOg== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem new file mode 100644 index 000000000..64f7fcfd1 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moon_ec384_Key.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDDvvge4iZDHIaL0IDBs4gVesErZZWOud3NysAEayGW4iTb6wjQLtIVF +1i7d8lV6Uc2gBwYFK4EEACKhZANiAASuE2owHdaYM4SSbJso8NWW/wnRHtHliphM +j9To5sEcEt+08d8FfQvWcwmAbCZb2x+d5MnmWKAKI1C+bFw1QavKrtt40owQnrMq +Uojbf/GpLfuG4GuKjDds7rXf1NXwuQs= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..8a8812e0f --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA moon_ec256_Key.pem + +: ECDSA moon_ec384_Key.pem diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9836736c3 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat new file mode 100644 index 000000000..73fe3096d --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/test.conf b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev1/ecdsa-certs/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt index 0f721c52b..0f721c52b 100644 --- a/testing/tests/openssl/rw-cert/description.txt +++ b/testing/tests/openssl-ikev1/rw-cert/description.txt diff --git a/testing/tests/openssl-ikev1/rw-cert/evaltest.dat b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat new file mode 100644 index 000000000..1a9b9159f --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IPsec SA established::YES +dave::ipsec statusall::IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..80dae3719 --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=3des-sha1-modp1536! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e2a83185b --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..73167caad --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2ba85bb98 --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors aes des sha1 sha2 md5 gmp pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f365b07da --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..28d9ab3ba --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors openssl pubkey random hmac curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} + diff --git a/testing/tests/openssl-ikev1/rw-cert/posttest.dat b/testing/tests/openssl-ikev1/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev1/rw-cert/pretest.dat b/testing/tests/openssl-ikev1/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev1/rw-cert/test.conf b/testing/tests/openssl-ikev1/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev1/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-blowfish/description.txt b/testing/tests/openssl-ikev2/alg-blowfish/description.txt new file mode 100644 index 000000000..d30d9d2da --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/description.txt @@ -0,0 +1,11 @@ +The roadwarriors <b>carol</b> and <b>dave</b> as well as the gateway <b>moon</b> +use the <b>openssl</b> plugin based on the <b>OpenSSL</b> library for all +cryptographical functions, thus making the <b>Blowfish</b> available as an IKEv2 cipher. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP +encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat new file mode 100644 index 000000000..a1f9f6a8e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/evaltest.dat @@ -0,0 +1,16 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256::YES +carol::ipsec statusall::BLOWFISH_CBC_192.*,::YES +carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128::YES +dave::ipsec statusall::BLOWFISH_CBC_128.*,::YES +dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..62e181012 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish256-sha512-modp2048! + esp=blowfish192-sha256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..26f3f3a04 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish128-sha256-modp1536! + esp=blowfish128-sha1! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..31a00f7fb --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! + esp=blowfish192-sha256,blowfish128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-blowfish/test.conf b/testing/tests/openssl-ikev2/alg-blowfish/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-blowfish/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt new file mode 100644 index 000000000..b8efbe87e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for +the Elliptic Curve Diffie-Hellman groups only. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes +ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_256 the roadwarriors +fall back to ECP_384 and ECP_521, respectively. +<p> +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat index c9055f89c..009936466 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-high/evaltest.dat @@ -1,10 +1,10 @@ -carol::cat /var/log/daemon.log::ECP_256_BIT.*ECP_384_BIT::YES -dave::cat /var/log/daemon.log::ECP_256_BIT.*ECP_521_BIT::YES +carol::cat /var/log/daemon.log::ECP_256.*ECP_384::YES +dave::cat /var/log/daemon.log::ECP_256.*ECP_521::YES moon::ipsec statusall::rw.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::home.*AES_CBC-192/AUTH_HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BIT::YES +carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384::YES dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*AES_CBC-256/AUTH_HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521_BIT::YES +dave::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf index 0550a09b4..0550a09b4 100755 --- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf index 22026fc36..22026fc36 100755 --- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index 7ffdcc204..7ffdcc204 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf index ffe13d259..ffe13d259 100755 --- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-high/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt new file mode 100644 index 000000000..4f043e7d9 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for +the Elliptic Curve Diffie-Hellman groups only. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes +ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors +fall back to ECP_224 and ECP_256, respectively. +<p> +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat index dc417c21f..e2073d9be 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat +++ b/testing/tests/openssl-ikev2/alg-ecp-low/evaltest.dat @@ -1,10 +1,10 @@ -carol::cat /var/log/daemon.log::ECP_192_BIT.*ECP_224_BIT::YES -dave::cat /var/log/daemon.log::ECP_192_BIT.*ECP_256_BIT::YES +carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES +dave::cat /var/log/daemon.log::ECP_192.*ECP_256::YES moon::ipsec statusall::rw.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BIT::YES +carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BIT::YES +dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf index 6a15b3f54..6a15b3f54 100755 --- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/ipsec.conf diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf index b4bdf456f..b4bdf456f 100755 --- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/ipsec.conf diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index 7ffdcc204..7ffdcc204 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf index 64ec0f12c..64ec0f12c 100755 --- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-low/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt new file mode 100644 index 000000000..2c098d898 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt @@ -0,0 +1,11 @@ +The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin +based on the <b>OpenSSL</b> library for all cryptographical functions. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b> +using <b>Elliptic Curve certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat index a7243ce70..868da5776 100644 --- a/testing/tests/openssl/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat @@ -1,7 +1,7 @@ -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful -moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful -dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES moon::ipsec statusall::rw.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES dave::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf index 4f6fdc567..c75d6b2a1 100755 --- a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=ecdsasig conn home left=PH_IP_CAROL diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..29709926a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS +4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T +BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9 +MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+ +sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx +ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn +s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..5f21c1012 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E + +Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt +KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble +RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..4e53ef91a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf index ea8bc92a7..080ce9bce 100755 --- a/testing/tests/ikev2/two-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn home left=PH_IP_DAVE @@ -19,5 +20,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..075d8f1e5 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y +IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA +zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G +A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1 +atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai +dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw +MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj +LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH +ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/ +wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv +g+Z+grJzTppAqpwRpg== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..f628f88e5 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX ++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9 +t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P +JDBocD1n1eCSwM67KOfouuPmOML0QgU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..ebd3a2839 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA daveKey.pem diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index e10230384..e10230384 100644 --- a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf index 892e0c39b..c932101d2 100755 --- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=ecdsasig conn rw left=PH_IP_MOON diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem index 5178c7f38..5178c7f38 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem index beab0485f..beab0485f 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets index 1ef3eccb5..1ef3eccb5 100644 --- a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e10230384 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown +} diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/test.conf b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev2/ecdsa-certs/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt new file mode 100644 index 000000000..0f721c52b --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl-ikev2/rw-cert/evaltest.dat b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf index fbb9cd7e9..4a8baa3ae 100755 --- a/testing/tests/ikev2/crl-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/ipsec.conf @@ -2,7 +2,7 @@ config setup crlcheckinterval=180 - strictcrlpolicy=yes + strictcrlpolicy=no plutostart=no conn %default @@ -11,12 +11,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 + ike=3des-sha1-modp1536! + +conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org - -conn home + leftfirewall=yes right=PH_IP_MOON - rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..195bcf046 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } +} + diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf index 3138458ed..42f03aab3 100755 --- a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=ecdsasig + ike=aes256-sha256-modp2048! conn home left=PH_IP_DAVE diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..f4b6dfdb9 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e84f2e6a --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..166e24e7c --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors openssl random x509 pubkey hmac stroke kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/openssl-ikev2/rw-cert/posttest.dat b/testing/tests/openssl-ikev2/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev2/rw-cert/pretest.dat b/testing/tests/openssl-ikev2/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/rw-cert/test.conf b/testing/tests/openssl-ikev2/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl-ikev2/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/pfkey/alg-aes-xcbc/description.txt b/testing/tests/pfkey/alg-aes-xcbc/description.txt index 24a4afe57..cce0e1cd6 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/description.txt +++ b/testing/tests/pfkey/alg-aes-xcbc/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> +<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat index 853746cd4..5217c18df 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat +++ b/testing/tests/pfkey/alg-aes-xcbc/evaltest.dat @@ -1,9 +1,9 @@ moon::ipsec statusall::rw.*INSTALLED::YES carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES -carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES -moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES -carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES +moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +moon::ipsec statusall::rw.*AES_CBC_256/AES_XCBC_96,::YES +carol::ipsec statusall::home.*AES_CBC_256/AES_XCBC_96,::YES moon::ip xfrm state::auth xcbc(aes)::YES carol::ip xfrm state::auth xcbc(aes)::YES carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf index db6fa7486..2f3bc449a 100644 --- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf index db6fa7486..2f3bc449a 100644 --- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf index db6fa7486..2f3bc449a 100644 --- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-pfkey kernel-netlink updown +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 29e2395e8..329498d28 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -6,5 +6,11 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 29e2395e8..329498d28 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -6,5 +6,11 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 29e2395e8..329498d28 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -6,5 +6,11 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} + +libstrongswan { + crypto_test { + on_add = yes + } } diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql index f160fe1d7..2ea4f598f 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -24,18 +24,6 @@ INSERT INTO identities ( 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); -INSERT INTO identities ( - type, data -) VALUES ( /* carol@strongswan.org as an EAP identity */ - 205, X'6361726f6c407374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* moon.strongswan.org as an EAP identity */ - 205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' - ); - /* Certificates */ INSERT INTO certificates ( @@ -67,13 +55,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 5 + 1, 3 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 4 ); /* Configurations */ diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql index 153c454a9..5d262877f 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -32,14 +32,8 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* moon.strongswan.org as an EAP identity */ - 205, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' - ); - -INSERT INTO identities ( - type, data -) VALUES ( /* carol@strongswan.org as an EAP identity */ - 205, X'6361726f6c407374726f6e677377616e2e6f7267' +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); /* Certificates */ @@ -111,13 +105,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 3 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 7 + 1, 6 ); /* Configurations */ |