diff options
| author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:14:02 +0000 |
|---|---|---|
| committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2009-10-21 11:14:02 +0000 |
| commit | 7410d3c6d6a9a1cd7aa55083c938946af6ff9498 (patch) | |
| tree | 3291beffa55649f9be28b4a98a7d503d334fbcf2 /testing/tests | |
| parent | 41787e147279ff0695e9d759487266a60b80867b (diff) | |
| download | vyos-strongswan-7410d3c6d6a9a1cd7aa55083c938946af6ff9498.tar.gz vyos-strongswan-7410d3c6d6a9a1cd7aa55083c938946af6ff9498.zip | |
[svn-upgrade] Integrating new upstream version, strongswan (4.3.4)
Diffstat (limited to 'testing/tests')
148 files changed, 2140 insertions, 3 deletions
diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf index 0840260c3..9536a85be 100644 --- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf index fdfb0003f..80952cb41 100644 --- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 0840260c3..9536a85be 100644 --- a/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index edb7e40d1..6cf472ed3 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index f4b6dfdb9..b946aa004 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index edb7e40d1..6cf472ed3 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf index 304ef99e0..ac4b8d589 100644 --- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf index f1dcd52e9..263978c99 100644 --- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf index 7133aef00..147e381b1 100644 --- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf @@ -9,6 +9,7 @@ pluto { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt new file mode 100644 index 000000000..9fe03b010 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively +<b>esp=aes128ccm96-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat new file mode 100644 index 000000000..27a5207a1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::AES_CCM_12_128::YES +carol::ipsec statusall::AES_CCM_12_128::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..f8baa00e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes128-sha256-modp2048! + esp=aes128ccm96-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d4f0c3adc --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes128-sha256-modp2048! + esp=aes128ccm12-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt new file mode 100644 index 000000000..fbcc48022 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt @@ -0,0 +1,3 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CTR_256 / AES_XCBC_96</b> by defining <b>esp=aes256ctr-aesxcbc-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat new file mode 100644 index 000000000..6f1cd4c49 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES +carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES +moon::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..acb4126cf --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256ctr-aesxcbc-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b5baa2b5d --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256ctr-aesxcbc-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt new file mode 100644 index 000000000..bd9521e0d --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively +<b>esp=aes256gcm128-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat new file mode 100644 index 000000000..d7d4666ed --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::AES_GCM_16_256::YES +carol::ipsec statusall::AES_GCM_16_256::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5026e0d9e --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256gcm128-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..5fa07962e --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutodebug="control crypt" + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha512-modp2048! + esp=aes256gcm16-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf index fe74cc285..9af94a18e 100755 --- a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control crypt" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf index 33871d484..3501319a5 100755 --- a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control crypt" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/net2net-pgp/description.txt b/testing/tests/ikev1/net2net-pgp-v3/description.txt index c85f2e5d0..bd680b57a 100644 --- a/testing/tests/ikev1/net2net-pgp/description.txt +++ b/testing/tests/ikev1/net2net-pgp-v3/description.txt @@ -1,5 +1,5 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. -The authentication is based on <b>OpenPGP keys</b>. Upon the successful +The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> diff --git a/testing/tests/ikev1/net2net-pgp/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat index 7cbf92687..7cbf92687 100644 --- a/testing/tests/ikev1/net2net-pgp/evaltest.dat +++ b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf index a54482489..a54482489 100755 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc index 135cfaec0..135cfaec0 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc index 32f204b10..32f204b10 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc index 6524773e0..6524773e0 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets index afb1ff927..afb1ff927 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf index 419adc2f2..419adc2f2 100755 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc index 135cfaec0..135cfaec0 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc index 32f204b10..32f204b10 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc index de2393649..de2393649 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc diff --git a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets index ee98b1611..ee98b1611 100644 --- a/testing/tests/ikev1/net2net-pgp/hosts/sun/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev1/net2net-pgp/posttest.dat b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat index fafcde975..fafcde975 100644 --- a/testing/tests/ikev1/net2net-pgp/posttest.dat +++ b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat diff --git a/testing/tests/ikev1/net2net-pgp/pretest.dat b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat index 9e40684ab..9e40684ab 100644 --- a/testing/tests/ikev1/net2net-pgp/pretest.dat +++ b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat diff --git a/testing/tests/ikev1/net2net-pgp/test.conf b/testing/tests/ikev1/net2net-pgp-v3/test.conf index f74d0f7d6..f74d0f7d6 100644 --- a/testing/tests/ikev1/net2net-pgp/test.conf +++ b/testing/tests/ikev1/net2net-pgp-v3/test.conf diff --git a/testing/tests/ikev1/net2net-pgp-v4/description.txt b/testing/tests/ikev1/net2net-pgp-v4/description.txt new file mode 100644 index 000000000..c82eec9ba --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a54482489 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.asc + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightcert=sunCert.asc + auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..a512f8f52 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf +UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A +nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd +6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ +I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f +JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh +bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA +CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K +N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K +1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y +D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk +/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv +1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK +CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc +ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt +21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX +mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb +G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D +spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz +=j2hu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..5117cbb04 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB +QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM +/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV +CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP +B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN +4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu +Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK +CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g +0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0 +eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D +RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG +6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j +vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ +EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg +Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t +mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m +t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT +gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf +lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o= +=tAh4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc new file mode 100644 index 000000000..59de821d6 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc @@ -0,0 +1,32 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf +UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A +nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd +6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ +I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f +JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx +nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/ +Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX +BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK +BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN +S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI +MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O +GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8 +mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi +RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey +iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv +vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC +AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3 +Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o +Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC +GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL +ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94 +N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk +mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS +26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs +AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O +MzxgEWTtyNTtGw== +=Vb4y +-----END PGP PRIVATE KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..afb1ff927 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.asc diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..419adc2f2 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + nocrsend=yes + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftcert=sunCert.asc + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=moonCert.asc + auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..a512f8f52 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf +UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A +nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd +6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ +I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f +JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh +bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA +CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K +N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K +1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y +D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk +/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv +1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK +CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc +ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt +21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX +mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb +G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D +spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz +=j2hu +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..5117cbb04 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,24 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB +QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM +/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV +CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP +B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN +4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu +Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK +CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g +0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0 +eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D +RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG +6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j +vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ +EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg +Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t +mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m +t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT +gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf +lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o= +=tAh4 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc new file mode 100644 index 000000000..68899ae37 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc @@ -0,0 +1,32 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- +Version: GnuPG v1.4.9 (GNU/Linux) + +lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB +QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM +/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV +CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP +B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN +4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt +Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh +9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn +VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN +P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw +bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV +5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy +0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR +mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H +1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB +P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt +EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd +B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr +GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv +JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb +AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs +QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY +6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa +WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR +jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV +aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr +J0tAsvODgc8b +=QOF4 +-----END PGP PRIVATE KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..ee98b1611 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.asc diff --git a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat new file mode 100644 index 000000000..fafcde975 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +sun::rm /etc/ipsec.d/certs/* +sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-pgp-v4/test.conf b/testing/tests/ikev1/net2net-pgp-v4/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/ikev1/net2net-pgp-v4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf index 304ef99e0..ac4b8d589 100644 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 304ef99e0..ac4b8d589 100644 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/description.txt b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt new file mode 100644 index 000000000..6443a348f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/description.txt @@ -0,0 +1,3 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CTR_128 / AES_XCBC_96</b> by defining <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat new file mode 100644 index 000000000..d5260da68 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES +carol::ipsec statusall::AES_CTR_128/AES_XCBC_96::YES +moon::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..02ca66b75 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ctr-aesxcbc-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..1c19714b9 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ctr-aesxcbc-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/test.conf b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ctr/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ip-split-pools-db/description.txt b/testing/tests/ikev2/ip-split-pools-db/description.txt new file mode 100644 index 000000000..0c11c7eed --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon assigns virtual IP addresses from two disjoint pools named +<b>pool0</b> comprising the single address <b>10.3.0.1</b> and <b>pool1</b> comprising the +single address <b>10.3.1.1</b> predefined in the SQL database. diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat new file mode 100644 index 000000000..8fd47dc34 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat @@ -0,0 +1,15 @@ +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::ipsec status::home.*INSTALLED::YES +dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +dave::ipsec status::home.*INSTALLED::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES +moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES +moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..40eb84b8a --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..c0f9756e4 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=%pool0,pool1 + auto=add diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b77ff97fb --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink sqlite sql updown +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2/ip-split-pools-db/posttest.dat b/testing/tests/ikev2/ip-split-pools-db/posttest.dat new file mode 100644 index 000000000..32b445090 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::ipsec pool --del pool0 2> /dev/null +moon::ipsec pool --del pool1 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-split-pools-db/pretest.dat b/testing/tests/ikev2/ip-split-pools-db/pretest.dat new file mode 100644 index 000000000..5691f0f0d --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/pretest.dat @@ -0,0 +1,12 @@ +moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add pool0 --start 10.3.0.1 --end 10.3.0.1 --timeout 48 2> /dev/null +moon::ipsec pool --add pool1 --start 10.3.1.1 --end 10.3.1.1 --timeout 48 2> /dev/null +moon::ipsec pool --status 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-split-pools-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index de122acff..da8d70ed7 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index de122acff..da8d70ed7 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index de122acff..da8d70ed7 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf index e2a83185b..ef1b92f3c 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf index 2ba85bb98..825f6fee8 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 28d9ab3ba..a3ad70a45 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -8,6 +8,7 @@ pluto { libstrongswan { dh_exponent_ansi_x9_42 = no + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev2/alg-camellia/description.txt b/testing/tests/openssl-ikev2/alg-camellia/description.txt new file mode 100644 index 000000000..b3515c333 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 / +HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as +the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> +in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat new file mode 100644 index 000000000..aad3becc7 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ip xfrm state::enc cbc(camellia)::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..37f8a7ecf --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c110dd516 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f8d7e3fe9 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c110dd516 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac xcbc stroke kernel-netlink updown +} diff --git a/testing/tests/openssl-ikev2/alg-camellia/posttest.dat b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl-ikev2/alg-camellia/pretest.dat b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat new file mode 100644 index 000000000..3c3df0196 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/openssl-ikev2/alg-camellia/test.conf b/testing/tests/openssl-ikev2/alg-camellia/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-camellia/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index 7ffdcc204..eb0ba532d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index 7ffdcc204..eb0ba532d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index e10230384..81dfac334 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -3,3 +3,7 @@ charon { load = curl openssl random x509 pubkey hmac stroke kernel-netlink updown } + +libstrongswan { + ecp_x_coordinate_only = no +} diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 195bcf046..4e8a1219d 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index f4b6dfdb9..b946aa004 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { required = yes on_add = yes diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 166e24e7c..ebecace94 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf index 2f3bc449a..8ee0ad955 100644 --- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf index 2f3bc449a..8ee0ad955 100644 --- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf index 2f3bc449a..8ee0ad955 100644 --- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf @@ -5,6 +5,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/sql/ip-split-pools-db-restart/description.txt b/testing/tests/sql/ip-split-pools-db-restart/description.txt new file mode 100644 index 000000000..7005c810d --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> restart a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon reassigns the static and reserved virtual IP addresses +from two disjoint pools named <b>pool0</b> and <b>pool1</b> predefined in the SQL database. + diff --git a/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat new file mode 100644 index 000000000..6c912eb47 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/evaltest.dat @@ -0,0 +1,14 @@ +dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +dave::ipsec status::home.*INSTALLED::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::ipsec status::home.*INSTALLED::YES +moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.1.1 in pool.*pool1::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon::cat /var/log/daemon.log::acquired existing lease for address 10.3.0.1 in pool.*pool0::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.2.*static.*2 .*1 .*1 ::YES +moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.2.*static.*2 .*1 .*1 ::YES +moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..2170e41af --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,204 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'pool0,pool1' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool0', X'0a030001', X'0a030002', 0 +); + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool1', X'0a030101', X'0a030102', 0 +); + +INSERT INTO addresses ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030001', 6, 1247817255, 1247817277 +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030002' +); + +INSERT INTO addresses ( + pool, address, identity, acquired, released +) VALUES ( + 2, X'0a030101', 7, 1247817257, 1247817278 +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 2, X'0a030102' +); + +INSERT INTO leases ( + address, identity, acquired, released +) VALUES ( + 1, 6, 1247817255, 1247817277 +); + +INSERT INTO leases ( + address, identity, acquired, released +) VALUES ( + 3, 7, 1247817257, 1247817278 +); + + + diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a747a6cb1 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} + +pool { + load = sqlite +} diff --git a/testing/tests/sql/ip-split-pools-db-restart/posttest.dat b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat new file mode 100644 index 000000000..5ff7b9d47 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-split-pools-db-restart/pretest.dat b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat new file mode 100644 index 000000000..8b30de8c4 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --status 2> /dev/null +moon::ipsec pool --leases 2> /dev/null +moon::ipsec start +dave::ipsec start +carol::ipsec start +dave::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db-restart/test.conf b/testing/tests/sql/ip-split-pools-db-restart/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db-restart/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/ip-split-pools-db/description.txt b/testing/tests/sql/ip-split-pools-db/description.txt new file mode 100644 index 000000000..0c11c7eed --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon assigns virtual IP addresses from two disjoint pools named +<b>pool0</b> comprising the single address <b>10.3.0.1</b> and <b>pool1</b> comprising the +single address <b>10.3.1.1</b> predefined in the SQL database. diff --git a/testing/tests/sql/ip-split-pools-db/evaltest.dat b/testing/tests/sql/ip-split-pools-db/evaltest.dat new file mode 100644 index 000000000..f358b62c8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/evaltest.dat @@ -0,0 +1,15 @@ +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::ipsec status::home.*INSTALLED::YES +dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +dave::ipsec status::home.*INSTALLED::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES +moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES +moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*static.*1 .*1 .*1 ::YES +moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*static.*1 .*1 .*1 ::YES +moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..29e2395e8 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..51704fc98 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,166 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'pool0,pool1' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool0', X'0a030001', X'0a030001', 0 +); + +INSERT INTO pools ( + name, start, end, timeout +) VALUES ( + 'pool1', X'0a030101', X'0a030101', 0 +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 1, X'0a030001' +); + +INSERT INTO addresses ( + pool, address +) VALUES ( + 2, X'0a030101' +); + diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a747a6cb1 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown sqlite sql +} + +pool { + load = sqlite +} diff --git a/testing/tests/sql/ip-split-pools-db/posttest.dat b/testing/tests/sql/ip-split-pools-db/posttest.dat new file mode 100644 index 000000000..5ff7b9d47 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-split-pools-db/pretest.dat b/testing/tests/sql/ip-split-pools-db/pretest.dat new file mode 100644 index 000000000..e1dcb9d51 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/pretest.dat @@ -0,0 +1,17 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --status 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/sql/ip-split-pools-db/test.conf b/testing/tests/sql/ip-split-pools-db/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-split-pools-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 329498d28..afbc20ab0 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -10,6 +10,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 329498d28..afbc20ab0 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -10,6 +10,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 329498d28..afbc20ab0 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -10,6 +10,7 @@ charon { } libstrongswan { + integrity_test = yes crypto_test { on_add = yes } |