diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:03:59 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2015-04-11 22:03:59 +0200 |
| commit | 83b8aebb19fe6e49e13a05d4e8f5ab9a06177642 (patch) | |
| tree | 51255545ba43b84aa5d673bd0eb557cbd0155c9e /testing/tests | |
| parent | 2b8de74ff4c334c25e89988c4a401b24b5bcf03d (diff) | |
| download | vyos-strongswan-83b8aebb19fe6e49e13a05d4e8f5ab9a06177642.tar.gz vyos-strongswan-83b8aebb19fe6e49e13a05d4e8f5ab9a06177642.zip | |
Imported Upstream version 5.3.0
Diffstat (limited to 'testing/tests')
248 files changed, 3254 insertions, 3184 deletions
diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt index 4c64fff97..2d04e74f2 100644 --- a/testing/tests/ha/both-active/description.txt +++ b/testing/tests/ha/both-active/description.txt @@ -4,5 +4,5 @@ to the virtual gateway <b>mars</b> implemented by the two real gateways based on <b>ClusterIP</b>. Depending on the hash of the IP addresses of the peers and the SPIs, the inbound and outbound CHILD_SAs are either assigned to segment 1 managed by <b>alice</b> or segment 2 handled by <b>moon</b>. -The IKEv2 protocol is managed by <b>moon</b> exclusively with passive -IKE_SAs installed on the backup gateway <b>alice</b>. +The IKEv2 protocol is managed by <b>alice</b> exclusively with passive +IKE_SAs installed on the backup gateway <b>moon</b>. diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat index 52c561964..8f5ffdb50 100644 --- a/testing/tests/ikev1/double-nat-net/evaltest.dat +++ b/testing/tests/ikev1/double-nat-net/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat index 9ddad2de5..5f0622690 100644 --- a/testing/tests/ikev1/double-nat/evaltest.dat +++ b/testing/tests/ikev1/double-nat/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat index 387dbae23..36d9f8456 100644 --- a/testing/tests/ikev1/nat-rw/evaltest.dat +++ b/testing/tests/ikev1/nat-rw/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun. venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon:: sleep 6::no output expected::NO diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown index aab1df687..b8b1fdd09 100755 --- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # NAT updown script # # Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org> @@ -13,7 +13,6 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. -# things that this script gets (from ipsec_pluto(8) man page) # # PLUTO_VERSION # indicates what version of this interface is being @@ -32,15 +31,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -54,25 +58,21 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -80,31 +80,38 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. # # define a minimum PATH environment in case it is not set @@ -129,22 +136,22 @@ up-client:) # If you are doing a custom version, firewall commands go here. iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. - iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT - iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat index 842eda00b..2dd5a40dd 100644 --- a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat +++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES -moon::cat /var/log/daemon.log::splitting IKE message with length of 1468 bytes into 2 fragments::YES -sun::cat /var/log/daemon.log::splitting IKE message with length of 1388 bytes into 2 fragments::YES +moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES +sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..4d99866f7 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm +MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ +qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 +ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR +fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN +2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 +K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 +mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc +ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f +XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy +Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx +J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj +zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 +8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT +61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo +PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug +bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b +eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 +ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am +DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt +v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 +fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw +y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC +h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 +cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem new file mode 100644 index 000000000..d8fad9aad --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB +eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ +mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV +sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK +3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ +mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl +QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw +HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH +eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 +/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ +RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc +Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY +Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ +Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h +BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv +NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF +wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc +JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 +5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf +mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi +N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr +r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX +jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy +gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV +zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat index 52c561964..8f5ffdb50 100644 --- a/testing/tests/ikev2/double-nat-net/evaltest.dat +++ b/testing/tests/ikev2/double-nat-net/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat index 9ddad2de5..5f0622690 100644 --- a/testing/tests/ikev2/double-nat/evaltest.dat +++ b/testing/tests/ikev2/double-nat/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/forecast/description.txt b/testing/tests/ikev2/forecast/description.txt new file mode 100644 index 000000000..db67b9c3d --- /dev/null +++ b/testing/tests/ikev2/forecast/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to +gateway <b>moon</b> and request a <b>virtual IP</b>. <b>moon</b> negotiates +broadcast and multicast traffic selectors with the clients, and uses +<i>%unique</i> marks to avoid any policy conflicts. The enabled <i>forecast</i> +plugin on <b>moon</b> installs the required Netfilter rules to make use of these +policies, and additionally starts forwarding broadcast and multicast packets +between the clients.<br/> +To test forwarding, the hosts send multicast and broadcast ping messages. diff --git a/testing/tests/ikev2/forecast/evaltest.dat b/testing/tests/ikev2/forecast/evaltest.dat new file mode 100644 index 000000000..6babe57f0 --- /dev/null +++ b/testing/tests/ikev2/forecast/evaltest.dat @@ -0,0 +1,20 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 1::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL, reqid 2::YES +alice::ping -W 1 -c 1 239.0.0.1 2>&1> /dev/null +carol::ping -W 1 -c 1 239.0.0.2 2>&1> /dev/null +dave::ping -W 1 -c 1 239.0.0.3 2>&1> /dev/null +carol::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null +dave::ping -W 1 -c 1 -b 10.1.255.255 2>&1> /dev/null +moon::iptables -t mangle -L -n -v +carol::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES +dave::tcpdump::IP alice.strongswan.org > 239.0.0.1: ICMP echo request::YES +carol::tcpdump::IP 10.1.0.130 > 239.0.0.3: ICMP echo request::YES +dave::tcpdump::IP 10.1.0.129 > 239.0.0.2: ICMP echo request::YES +carol::tcpdump::IP 10.1.0.130 > 10.1.255.255: ICMP echo request::YES +dave::tcpdump::IP 10.1.0.129 > 10.1.255.255: ICMP echo request::YES diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4cd628384 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftsubnet=0.0.0.0/0 + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=0.0.0.0/0 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7b81476e9 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..e2255d96b --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftsubnet=0.0.0.0/0 + leftcert=daveCert.pem + leftid=dave@strongswan.org + right=PH_IP_MOON + rightsubnet=0.0.0.0/0 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..7b81476e9 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..fde2e9103 --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16,224.0.0.0/4 + right=%any + rightid=*@strongswan.org + rightsourceip=10.1.0.128/26 + rightsubnet=%dynamic,224.0.0.0/4,10.1.255.255 + mark=%unique + auto=add diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..986ef32de --- /dev/null +++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr forecast + syslog { + daemon { + net = 2 + } + } + plugins { + forecast { + interface = eth1 + reinject = rw + } + } +} diff --git a/testing/tests/ikev2/forecast/posttest.dat b/testing/tests/ikev2/forecast/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev2/forecast/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/forecast/pretest.dat b/testing/tests/ikev2/forecast/pretest.dat new file mode 100644 index 000000000..206bf5b64 --- /dev/null +++ b/testing/tests/ikev2/forecast/pretest.dat @@ -0,0 +1,7 @@ +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/forecast/test.conf b/testing/tests/ikev2/forecast/test.conf new file mode 100644 index 000000000..13b3927ae --- /dev/null +++ b/testing/tests/ikev2/forecast/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/host2host-transport-connmark/description.txt b/testing/tests/ikev2/host2host-transport-connmark/description.txt new file mode 100644 index 000000000..6660279c9 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/description.txt @@ -0,0 +1,8 @@ +An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b> +and gateway <b>sun</b> is successfully set up. The client <b>venus</b> behind +the same NAT as client <b>alice</b> also establishes the same <b>transport-mode</b> +connection. <b>sun</b> uses the connmark plugin and a <b>%unique</b> mark on +the CHILD_SAs to select the correct return path SA using connection tracking. +This allows <b>sun</b> to talk to both nodes for client initiated flows, even +if the SAs are actually both over <b>moon</b>.<br/> +To test the connection, both hosts establish an SSH connection to <b>sun</b>. diff --git a/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat new file mode 100644 index 000000000..04a35c10c --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/evaltest.dat @@ -0,0 +1,7 @@ +sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +alice::ssh 192.168.0.2 'echo alice-echo && exit'::alice-echo::YES +venus::ssh 192.168.0.2 'echo venus-echo && exit'::venus-echo::YES +sun::iptables -t mangle -L -n -v diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..9000ebcfe --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + leftcert=aliceCert.pem + leftid=alice@strongswan.org + right=192.168.0.2 + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..220059c43 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=192.168.0.2 + leftcert=sunCert.pem + leftid=@sun.strongswan.org + +conn nat-t + right=%any + type=transport + mark=%unique + auto=add diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..1311e5b27 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark +} diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf new file mode 100644 index 000000000..cea239abe --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + leftcert=venusCert.pem + leftid=venus@strongswan.org + right=192.168.0.2 + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/ikev2/host2host-transport-connmark/posttest.dat b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat new file mode 100644 index 000000000..144be6c90 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/posttest.dat @@ -0,0 +1,5 @@ +alice::ipsec stop +venus::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-transport-connmark/pretest.dat b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat new file mode 100644 index 000000000..ab6408427 --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE +moon::iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT +moon::iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::expect-connection nat-t +venus::expect-connection nat-t +alice::ipsec up nat-t +venus::ipsec up nat-t diff --git a/testing/tests/ikev2/host2host-transport-connmark/test.conf b/testing/tests/ikev2/host2host-transport-connmark/test.conf new file mode 100644 index 000000000..8c2facefd --- /dev/null +++ b/testing/tests/ikev2/host2host-transport-connmark/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun alice venus moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt index 6f18a88cd..fc7186c53 100644 --- a/testing/tests/ikev2/host2host-transport-nat/description.txt +++ b/testing/tests/ikev2/host2host-transport-nat/description.txt @@ -9,5 +9,6 @@ rules that let pass the decrypted IP packets. In order to test the host-to-host dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter in <em>/proc/net/xfrm_stat</em>).</li> <li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to -<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li> +<b>sun</b>. Due to the conflicting IPsec policies <b>sun</b> will use the newer SA from +<b>venus</b> to send traffic to the common transport mode address.</li> </ol> diff --git a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat index faa9fb265..0ec50bc92 100644 --- a/testing/tests/ikev2/host2host-transport-nat/evaltest.dat +++ b/testing/tests/ikev2/host2host-transport-nat/evaltest.dat @@ -1,12 +1,9 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES -sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT::YES -alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES -venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO -venus::ipsec up nat-t::received TS_UNACCEPTABLE notify::YES -sun::cat /var/log/daemon.log::unable to install policy::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TRANSPORT, reqid 1::YES +alice::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::NO +venus::ping -c 1 -W 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES sun::tcpdump::IP sun.strongswan.org.* > moon.strongswan.org.*: UDP::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ICMP echo request::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ICMP echo reply::NO diff --git a/testing/tests/ikev2/host2host-transport-nat/pretest.dat b/testing/tests/ikev2/host2host-transport-nat/pretest.dat index fe0f17d3d..2d2607078 100644 --- a/testing/tests/ikev2/host2host-transport-nat/pretest.dat +++ b/testing/tests/ikev2/host2host-transport-nat/pretest.dat @@ -10,3 +10,4 @@ sun::ipsec start alice::expect-connection nat-t venus::expect-connection nat-t alice::ipsec up nat-t +venus::ipsec up nat-t diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat index 65a003d23..8457ae0dd 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES -moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA.* successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES @@ -9,8 +9,8 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan. carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES -dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA.* successful::YES +dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 4e13b52d0..70b953e49 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,24 +1,24 @@ -----BEGIN CERTIFICATE----- MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX -BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz -MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMTQxMTI4MjIxODIyWhcNMTkwMjI1 +MjIxODIyWjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n -c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y -IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2 -30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb -jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG -veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii -ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5 -7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx -jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg +c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNBbHnfLRk +Lvxh9V7x/NoSs5qavpr8F51LnYpIfppgMvBDjpdeSnBPOOPakPlfUhKSvXIesESv +QI1HJOlGftswL9A5B1lTnsH65sqpgqgj67grh386U3O9ZccFhUj8Dw6TUo/qe4pK +sWDwUX/LG3mjOx/rOGvX8WxvZU7JVXXhU4g8TpIV3JRTQ+lF82z3qoS6dAfRt4xh +6pyLuMYbu6UtX5Al0iJDvpsWr9ZbKI2f8Dhkr0sZFRHl7Gs5jTN1Ra1EF0jCjIzo +6AkkY+ITBssvVvMFpeN/jb0ZhvLcRFU56lvLkmrj/InKUsk9qNm80+/wFBUzJ5N7 +GezXmBIPwXdlAgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFLPw4VsFnIRIKhjd/OF7delHM9kiMHkGA1UdIwRyMHCAFIpw4MqlHGRv +K5K5c1wBrJAb/fk1oVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo -IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 -DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH -TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G -4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6 -Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O -3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok -BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE +IENBggEKMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 +DQEBCwUAA4IBAQCi2vUHTZtkUGMAQsztQBLDwtqS7D+1ydO2BU/wkNRn4M7Zlkjq +O2JBgwGmeWpnZWPdNo+A5ECqcVYXp0XQw/24zxV92StTN7mGvPKVM6bYExcCT8x6 +tVkzlfyjJaVdBgl12jkQA4v6Efwc0P6nunYfxYIrfoFA4kjMnAbxLfPKFEj8b8NW +E9gvOEPy9hOv2dJEKyNxau+O5oGRZ46zSotcS0n34huoMEkXpUnpGOgZw8cl8xpP +ffHiAJqZYgqU6B++HQO6M6IQ0nQmX6OxGz+5VhEmuizgWB0B1L65BlzAysdavLZN +Yn4RdcYfpdbUgj5oRapiwWaQxpGImyQ1JBIU -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem index 48727ed9d..ce60672bc 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF -Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF -w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/ -rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8 -UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX -aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+ -33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX -ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA -zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2 -DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag -QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp -5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP -44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX -Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV -2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar -PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX -LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/ -Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq -VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL -Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty -6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3 -Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw -Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq -Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS -QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw== +MIIEpAIBAAKCAQEAzQWx53y0ZC78YfVe8fzaErOamr6a/BedS52KSH6aYDLwQ46X +XkpwTzjj2pD5X1ISkr1yHrBEr0CNRyTpRn7bMC/QOQdZU57B+ubKqYKoI+u4K4d/ +OlNzvWXHBYVI/A8Ok1KP6nuKSrFg8FF/yxt5ozsf6zhr1/Fsb2VOyVV14VOIPE6S +FdyUU0PpRfNs96qEunQH0beMYeqci7jGG7ulLV+QJdIiQ76bFq/WWyiNn/A4ZK9L +GRUR5exrOY0zdUWtRBdIwoyM6OgJJGPiEwbLL1bzBaXjf429GYby3ERVOepby5Jq +4/yJylLJPajZvNPv8BQVMyeTexns15gSD8F3ZQIDAQABAoIBABliJR6V7/efYZv3 +NyQavB0oo3GZO7MOcWkVPjOviQl0BQ84LkF8Ud9dGcjLvjQxAx+r2N83z6krAtLW +HROfTR/wK4WEBWk29KlNvbWy+YJJAupQwk3EW0YNvdBPKjQa4SEYTb0oQnzw7SGT +1ZCd/DdbcJ48xA1eVKCOGG0Q6aFV702mUszjZfrnyqr+zxx8ZE+YhKSXB0eGjv2+ ++kiJMf25ZpgP5Pu5AAX0/KRN9E5orbr5pdFTBgOIJ6Sdsnr/q/tJaU/bPVJEtFvd +BqSVtz87ftTdZVH5zMBkXPVwlWczQiK5J6igrMBcrHhnKUmt54kh9bEUmt2ZrBOx +xmEV/wECgYEA+a+LjA3lZgk5Qy4qKvXe4EHvRSK513ZxN8gBvj4wA7JmEGv76gMw +5o1DbpNOqumeyjrtsqVzjAu3GpowX4dfHRal9CZ57dtedjWlHPnnDtSMKzmJXiJb +HzYPngpjxfAjrZNIBlQZeAhtYCQUDM/SSitcnP1gp3DEdVyxFNafmuECgYEA0jUA +F0hSddYBo4tG84gnHQ6L0ftqn3K0UD9EcFAG2Zxv7dqSGdmCq6wo/q1UeKDVLjCX +OteuqzDG+ka6DmbcLwj9VRMQP9lqUbtGOzwyWxYdcMUZnMtWHpuvcsyHLrAKqTxJ +0Be7hlXCbSrh62CBpAgv91NMghZup3Tpku8qkQUCgYEAyWNp7uEWciJmaWVG5bfC +uKb10pGby8ngr9lGbqfCGnk+EWjHm4xPWOX/yaRPA1PDm+HD7x+7/u1EFtTex25s +rQ2jdTXDirIxkq7aKnD2iOOu2v5haefUD2yPVC2VJAX5APuWUGRs1oAVmEIBWgQV +3XT0EjvcRbGTBAZrXh9uRIECgYEAzBclZXWUilAj+zOoyZ4xy6Zp3pAqL3Fg3GDx +A9LPM80NZ3RFUc+7bQ6UJuEHGK+fC1+mFT1/mzqaljjBQGZh9VDXFhiSOEvRTFV1 +lOGXSpSoNOtJONC7ZrBloiIuRggp8bJVQDMqoPz27qMqAiwK8sX4PDumFs/M081R +UpXfUDkCgYAOa/VoXgDlFMun1qEu6LFZcLhA6SyHRT0yT9WSYkHjcQusvJAZEM67 +lfUd1J57tG6+HS7z0wBkO72HG0YZDD8dhgzsYGChUHD+yq+OZ2FHnZWRSnnHq4zD +ZBjS8PGcVu/4Ojx6B8GI41UgmdqH+US+AA6nYceb74NeIigXjtXUdA== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem index bb205a0fd..2076242cc 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MIID0jCCArqgAwIBAgIBCjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw -M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTE0MTEyODIyMDcwOFoXDTE5MDQwMTIyMDcw +OFowVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu -MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa -ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO -UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD -h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY -i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB -o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2 -KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu984h2mkpbWJZc9Ydka6jC84EkPz +w6tqtEkIdftEawgc5gvlC80JXLTwnQySMTb49KByyt44S59ZWE6SHHV0u2P2ihiw +1duoY7NE+RZwODEsWVgnDRZmyume2Bj+Hpkugm6o+rL7jiGxhvNLeoFZK3RyD6IR +IcEfZeAv7URGz7xdrzmK/vWXukfEnU8DlrFDSQUb3NaJS5tVVVLFuTWQBSjuT3NX +7mdNHnpjcwT9/ruyOaNQ0DV2Bgz1nCiOup+oW396/AInb03CQ+wIqQpB9reWma0w +F0Bc9lZxnv9ppYgBPsOTjE3yyyeTptzk9Gw+DFV1cw8Crm+aew5VH18oEwIDAQAB +o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBSK +cODKpRxkbyuSuXNcAayQG/35NTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p 891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF -AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv -YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx -rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C -1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5 -wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v -DSlBqDpnqK8tEI9V9YeroihTcygrEg== +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDANBgkqhkiG9w0BAQsF +AAOCAQEAMtm7ldvd45818Ghl8+Z7PfCnRXDPbikyCJn5PXkuR3TSB62ekJSGT1Rd +i2rnDoIZpfSzDQSpKH616MuWtwJoomJh8n9wCzbdUv1sn1cfgjDSkgLqIbm/Xpc4 +zUcHnZFdwvMr3sq/xSO/SgkfgTHi8bFLLp2RQwPNsNycT94nNE7DRjSeRenpuEPM +4t4xIZCoUyX3sdusHvh+dDu4iuIVQoM0zaW9p7pVh210ALt0jac3HW0rQXtbfchE +VeuDLZ0G7baFZ9LLLWpuQB4zPRUET7puvzabsf+sHpO54y+zXRaB0tbiFIurt4gF +5n7mN4ssNQdcD86W5lnI9pT5s1uvdw== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat index bb8e856cc..c5390fbb6 100644 --- a/testing/tests/ikev2/nat-rw-mark/evaltest.dat +++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat @@ -1,7 +1,7 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown index 421335ffb..e0c15f56a 100755 --- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # updown script setting inbound marks on ESP traffic in the mangle chain # # Copyright (C) 2003-2004 Nigel Meteringham @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -63,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -85,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -93,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -143,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -157,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - parms1="$PLUTO_PEER_CLIENT" +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac - if [ -n "$PLUTO_NEXT_HOP" ] +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - parms2="via $PLUTO_NEXT_HOP" + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" fi - if test " $oops" != " " -o " $st" != " 0" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - echo "$0: doroute \`$it' failed ($oops)" >&2 + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" fi # is there an inbound mark to be set? @@ -313,82 +212,18 @@ if [ -n "$PLUTO_MARK_IN" ] then if [ -n "$PLUTO_UDP_ENC" ] then - SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" else - SET_MARK="-p esp" + SET_MARK="-p $PLUTO_PROTO" fi SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" fi -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -403,6 +238,14 @@ up-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -430,6 +273,13 @@ down-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -472,6 +322,15 @@ up-client:) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -518,6 +377,13 @@ down-client:) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat index 6ec29c779..86fc1975e 100644 --- a/testing/tests/ikev2/nat-rw-psk/evaltest.dat +++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat @@ -1,6 +1,6 @@ -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat index 387dbae23..36d9f8456 100644 --- a/testing/tests/ikev2/nat-rw/evaltest.dat +++ b/testing/tests/ikev2/nat-rw/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun. venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES -alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES -sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL.*ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL.*ESP in UDP::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon:: sleep 6::no output expected::NO diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown index aab1df687..1afd70df8 100755 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # NAT updown script # # Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org> @@ -13,8 +13,6 @@ # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License # for more details. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -32,15 +30,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -54,25 +57,21 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -80,31 +79,38 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. # # define a minimum PATH environment in case it is not set @@ -129,22 +135,22 @@ up-client:) # If you are doing a custom version, firewall commands go here. iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. - iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT - iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 exit 1 diff --git a/testing/tests/ikev2/net2net-cert-sha2/description.txt b/testing/tests/ikev2/net2net-cert-sha2/description.txt new file mode 100644 index 000000000..c659b4c47 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b> using SHA-2 to create signatures +as enabled by the IKEv2 Signature Authentication extension described in <b>RFC 7427</b>. +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat new file mode 100644 index 000000000..65737ba1f --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat @@ -0,0 +1,9 @@ +moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..5af6d2bbc --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftauth=rsa-sha384 + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..2127105da --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..3c3d1e51d --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftauth=rsa-sha512 + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..2127105da --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/net2net-cert-sha2/posttest.dat b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat new file mode 100644 index 000000000..837738fc6 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush + diff --git a/testing/tests/ikev2/net2net-cert-sha2/pretest.dat b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat new file mode 100644 index 000000000..81a98fa41 --- /dev/null +++ b/testing/tests/ikev2/net2net-cert-sha2/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/swanctl/net2net-cert-ipv6/test.conf b/testing/tests/ikev2/net2net-cert-sha2/test.conf index 646b8b3e6..afa2accbe 100755..100644 --- a/testing/tests/swanctl/net2net-cert-ipv6/test.conf +++ b/testing/tests/ikev2/net2net-cert-sha2/test.conf @@ -10,7 +10,7 @@ VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index a26295090..6e5c24063 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -3,4 +3,5 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + signature_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index a26295090..6e5c24063 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -3,4 +3,5 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no + signature_authentication = no } diff --git a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat index 7f227fd62..c7437c8bb 100644 --- a/testing/tests/ikev2/net2net-fragmentation/evaltest.dat +++ b/testing/tests/ikev2/net2net-fragmentation/evaltest.dat @@ -1,7 +1,7 @@ moon::cat /var/log/daemon.log::IKE_SA_INIT request 0.*FRAG_SUP::YES sun::cat /var/log/daemon.log::IKE_SA_INIT response 0.*FRAG_SUP::YES -moon::cat /var/log/daemon.log::splitting IKE message with length of 1804 bytes into 2 fragments::YES -sun::cat /var/log/daemon.log::splitting IKE message with length of 1596 bytes into 2 fragments::YES +moon::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES +sun::cat /var/log/daemon.log::splitting IKE message with length of .*bytes into 2 fragments::YES moon::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES moon::cat /var/log/daemon.log::received fragment #2 of 2, reassembling fragmented IKE message::YES sun::cat /var/log/daemon.log::received fragment #1 of 2, waiting for complete IKE message::YES diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem index 7f5f8d703..124e2ae46 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0 -MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm -RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG -aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs -BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU -lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO -wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51 -vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX -QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S -smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1 -Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O -vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC -kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6 -Y0Y2hqCja6SsIjVc +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem index 8295f97c1..11607c8cb 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q -t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/ -rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW -B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi -aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi -81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot -teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI -B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT -p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd -yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq -+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea -zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv -AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/ -dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn -UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2 -1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9 -yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu -fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc -3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC -reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb -zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV -3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu -uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR -OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn -gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA== +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem index 9ccd47a2c..a93121da1 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/certs/sunCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0 -MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 +MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu -Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE -CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k -XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H -k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC -VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno -Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr -6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud -DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 +oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf +pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw +ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 +Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd +0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd +bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud +DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR -AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA -mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j -C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd -4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ -TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ -Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E -dXN+1axy9zQ34g== +AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu +7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p +nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg +oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx +k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD +yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug +NnBR3lf2HB2lWA== -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem index 6e047af69..55f5f8037 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho -K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ -SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+ -NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3 -IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU -RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1 -K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7 -nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D -feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL -/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2 -K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B -UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc -T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm -7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb -t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs -cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o -WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn -qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP -U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX -6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp -ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq -b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF -TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v -h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE -FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd +MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS +dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV +eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 +dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid +gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah +tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn +d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB +J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 +6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD +cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 +SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB +BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG +KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 +iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg +zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 +7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE +ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 +Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 +lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU +7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 +yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT +1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX +uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ +dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ +QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown index bdba3fb05..e9ab41c7f 100755 --- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # updown script setting inbound marks on ESP traffic in the mangle chain # # Copyright (C) 2003-2004 Nigel Meteringham @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -63,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -85,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -93,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -186,7 +169,6 @@ fi PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in up-client:) # connection to my client subnet coming up diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt new file mode 100644 index 000000000..dfec6a3b6 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/description.txt @@ -0,0 +1,8 @@ +This scenario tests <b>make-before-break reauthentication</b> using overlapping +IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option for +clients using an assigned virtual IP. The initiator <b>carol</b> reauthenticates +the IKE_SA with host <b>moon</b> using <b>ikelifetime=10s</b>, but does not +close the old IKE_SA before the replacement CHILD_SA using the same virtual IP +is in place. A constant ping from <b>carol</b> to client <b>alice</b> +hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the +whole procedure. diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat new file mode 100644 index 000000000..509457418 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..6447b1cca --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keylife=20m + ikelifetime=10s + rekeymargin=5s + rekeyfuzz=0% + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftsourceip=%config + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f89437e43 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..121ea7eab --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=30m + keylife=20m + rekeymargin=0s + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/24 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f585edfca --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat new file mode 100644 index 000000000..046d4cfdc --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat new file mode 100644 index 000000000..baacc1605 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf new file mode 100644 index 000000000..4a5fc470f --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-mbb/description.txt b/testing/tests/ikev2/reauth-mbb/description.txt new file mode 100644 index 000000000..ab92d7df8 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/description.txt @@ -0,0 +1,7 @@ +This scenario tests <b>make-before-break reauthentication</b> using overlapping +IKE_SAs by setting the <i>make_before_break</i> strongswan.conf option. The +initiator <b>carol</b> reauthenticates the IKE_SA with host <b>moon</b> using +<b>ikelifetime=10s</b>, but does not close the old IKE_SA before the replacement +CHILD_SA is in place. A constant ping from <b>carol</b> to client <b>alice</b> +hiding in the subnet behind <b>moon</b> tests if the CHILD_SA works during the +whole procedure. diff --git a/testing/tests/ikev2/reauth-mbb/evaltest.dat b/testing/tests/ikev2/reauth-mbb/evaltest.dat new file mode 100644 index 000000000..509457418 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[1]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 8 PH_IP_ALICE::64 bytes from PH_IP_ALICE::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..f46405a47 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keylife=20m + ikelifetime=10s + rekeymargin=5s + rekeyfuzz=0% + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f89437e43 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown + + make_before_break = yes +} diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..2f4557447 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=30m + keylife=20m + rekeymargin=0s + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f585edfca --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/reauth-mbb/posttest.dat b/testing/tests/ikev2/reauth-mbb/posttest.dat new file mode 100644 index 000000000..046d4cfdc --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-mbb/pretest.dat b/testing/tests/ikev2/reauth-mbb/pretest.dat new file mode 100644 index 000000000..baacc1605 --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/reauth-mbb/test.conf b/testing/tests/ikev2/reauth-mbb/test.conf new file mode 100644 index 000000000..4a5fc470f --- /dev/null +++ b/testing/tests/ikev2/reauth-mbb/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat index d59eef513..20f1f132c 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat index 0ea4e21ab..77e306bf9 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat index 6a20b8e8c..e09765fb6 100644 --- a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat @@ -1,7 +1,7 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat index 1460ec8f9..10ce861b1 100644 --- a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES @@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswa moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat index aa6d4291b..47a4977a2 100644 --- a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES @@ -8,7 +8,7 @@ carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongsw moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat index 42d2c319e..5853deb26 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat @@ -1,6 +1,6 @@ carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat index 8f813395a..109407b96 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf index 881971e80..87c37f3a3 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat index a8019b3e7..49045c9ef 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat index 84f41fd93..88ab87d29 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat index 010f48315..892fdd6ef 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat index 95c29b7f5..d3d97dc38 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat @@ -1,9 +1,9 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat index f1a68bc19..0dfc89e07 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index 21cfe429a..a514f48b7 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat index ab27b4510..f33e7bc36 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf index b4825fb82..c2efc3fcd 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat index 7584e14dc..75349b031 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat index a471a2cfa..f250c0cb3 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat @@ -1,9 +1,9 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown index 421335ffb..b8b45e3b0 100755 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown @@ -1,4 +1,4 @@ -#! /bin/sh +#!/bin/sh # updown script setting inbound marks on ESP traffic in the mangle chain # # Copyright (C) 2003-2004 Nigel Meteringham @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,20 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA # # PLUTO_ME # is the IP address of our host. @@ -63,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -85,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -93,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -143,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -157,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -193,119 +166,45 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - parms1="$PLUTO_PEER_CLIENT" +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac - if [ -n "$PLUTO_NEXT_HOP" ] +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - parms2="via $PLUTO_NEXT_HOP" + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" fi - if test " $oops" != " " -o " $st" != " 0" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + if [ -n "$ICMP_TYPE_OPTION" ] then - echo "$0: doroute \`$it' failed ($oops)" >&2 + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" fi # is there an inbound mark to be set? @@ -320,75 +219,11 @@ then SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" fi -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -403,6 +238,14 @@ up-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -430,6 +273,13 @@ down-host:) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -472,6 +322,15 @@ up-client:) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -518,6 +377,13 @@ down-client:) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then diff --git a/testing/tests/ikev2/rw-ntru-bliss/description.txt b/testing/tests/ikev2/rw-ntru-bliss/description.txt new file mode 100644 index 000000000..b81fdb7cf --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/description.txt @@ -0,0 +1,15 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The key exchange is based on NTRU encryption with a cryptographical strength of 128 bit and +192 bit for <b>carol</b> and <b>dave</b>, respectively. Authentication is based on the BLISS +algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for +<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively. +<p> +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload +by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual +IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously +increasing order. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping +the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two +pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat new file mode 100644 index 000000000..5a88b6641 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA512 successful::YES +dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA256 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA384 successful::YES +moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NTRU_128::YES +moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/NTRU_192::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..f13e47a71 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ntru128! + esp=aes128-sha256! + authby=pubkey + fragmentation=yes + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.der + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..cbc7e09c1 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der Binary files differnew file mode 100644 index 000000000..491e245dd --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der Binary files differnew file mode 100644 index 000000000..b2831a8ed --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..c2225646d --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS carolKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ab824c993 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..5f605a43d --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ntru192! + esp=aes192-sha384! + authby=pubkey + fragmentation=yes + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.der + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..cbc7e09c1 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der Binary files differnew file mode 100644 index 000000000..83a213710 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der Binary files differnew file mode 100644 index 000000000..0ec528ddf --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..fe2643204 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS daveKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ab824c993 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..2a9b33aae --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ntru128,aes192-sha384-ntru192! + esp=aes128-sha256,aes192-sha384! + authby=pubkey + fragmentation=yes + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.der + leftauth=bliss-sha512 + leftid=moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..cbc7e09c1 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der Binary files differnew file mode 100644 index 000000000..1ab7d21f7 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der Binary files differnew file mode 100644 index 000000000..c989f91e5 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b4a9ee68d --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS moonKey.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ab824c993 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes sha1 sha2 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-ntru-bliss/posttest.dat b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat new file mode 100644 index 000000000..9ba8c5f55 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/posttest.dat @@ -0,0 +1,9 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der +carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der +dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-ntru-bliss/pretest.dat b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat new file mode 100644 index 000000000..24249435e --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem +dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-ntru-bliss/test.conf b/testing/tests/ikev2/rw-ntru-bliss/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/rw-ntru-bliss/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat index ab398a3bb..55b295781 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat @@ -2,8 +2,8 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pr moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat index 1648c9557..1206ea4b7 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat index ccbc769e2..b192f788f 100644 --- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf index 438e1c14c..6ebb7c356 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf @@ -11,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftauth=eap leftfirewall=yes diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt new file mode 100644 index 000000000..569d7e054 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway +<b>moon</b>. They authenticate themselves using <b>RSA signatures</b> but +they use different hash algorithms. <b>moon</b> uses signature scheme constraints +to only allow access to the <b>research</b> and <b>accounting</b> subnets if +specific algorithms are used. <b>Note:</b> Because the client certificate's are signed +with SHA-256 we have to accept that algorithm too because signature schemes in +<b>rightauth</b> are also used as constraints for the whole certificate chain. +Therefore, <b>carol</b> obtains access to the <b>research</b> subnet behind gateway +<b>moon</b> whereas <b>dave</b> has access to the <b>accounting</b> subnet, but not +vice-versa. diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat new file mode 100644 index 000000000..261475f56 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat @@ -0,0 +1,20 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES +moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES +carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES +moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES +moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES +dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES +dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO +dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..b1aa2d99a --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightsubnet=10.1.0.10/32 + also=home + auto=add + +conn venus + rightsubnet=10.1.0.20/32 + also=home + auto=add + +conn home + left=%any + leftcert=carolCert.pem + leftauth=pubkey-sha384 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..044d73ac3 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..eef3e2622 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightsubnet=10.1.0.10/32 + also=home + auto=add + +conn venus + rightsubnet=10.1.0.20/32 + also=home + auto=add + +conn home + left=%any + leftcert=daveCert.pem + leftauth=pubkey-sha512 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..044d73ac3 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..9f9051eeb --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn research + rightauth=pubkey-sha384-sha256 + leftsubnet=10.1.0.0/28 + also=rw + auto=add + +conn accounting + rightauth=pubkey-sha512-sha256 + leftsubnet=10.1.0.16/28 + also=rw + auto=add + +conn rw + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + right=%any diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..044d73ac3 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown +} diff --git a/testing/tests/ikev2/rw-sig-auth/posttest.dat b/testing/tests/ikev2/rw-sig-auth/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-sig-auth/pretest.dat b/testing/tests/ikev2/rw-sig-auth/pretest.dat new file mode 100644 index 000000000..bec31cc68 --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up alice +dave::ipsec up venus +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-sig-auth/test.conf b/testing/tests/ikev2/rw-sig-auth/test.conf new file mode 100644 index 000000000..b9e97e43b --- /dev/null +++ b/testing/tests/ikev2/rw-sig-auth/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou moon" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="" + diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat index 9418d6ee1..3522c3d79 100644 --- a/testing/tests/ikev2/rw-whitelist/evaltest.dat +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA.* successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA.* successful::YES moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem index 7f5f8d703..124e2ae46 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0 -MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm -RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG -aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs -BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU -lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO -wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51 -vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX -QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S -smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1 -Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O -vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC -kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6 -Y0Y2hqCja6SsIjVc +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem index 8295f97c1..11607c8cb 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q -t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/ -rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW -B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi -aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi -81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot -teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI -B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT -p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd -yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq -+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea -zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv -AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/ -dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn -UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2 -1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9 -yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu -fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc -3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC -reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb -zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV -3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu -uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR -OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn -gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA== +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem index 9ccd47a2c..a93121da1 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/certs/sunCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEtjCCA56gAwIBAgIBAjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEtjCCA56gAwIBAgIBBjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzUyMVoXDTE0 -MTIyMjEzMzUyMVowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDkwMFoXDTE5 +MTIyMTA2NDkwMFowVzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2Fu -Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK1HhvoVh/fM14RE -CTXr4to9ZEeGSqHLl5du+eYZl1fC7qLYaCtlaH+eLfDsCgYpe+XsDLHIxpTK9R6k -XgLP1Jraxz3rtv5qJKkV3aDTjQ2d+cFc0EgiZmn53VEmI/IlcJS/VZzHhNvEJk7H -k0YpoazpGPtNzFGaehV5mXUAeVPx4RH8fjcSiPbuPS3WC7cqtYvVwk97dj05VfEC -VnG+90+eFKztvawBzNGwGQ7xZV7kSiPHNyGAV0qrKvhXZ0VPnm/OEiGCAlIo8uno -Yb/4UMM/a5usCaA9Hgbf8+qqmrzavSUkFEa0y/p9bOBHaqfNP002xktbqBCCodRr -6QgmiysCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud -DgQWBBTaKhy7PH1ihWsD+3/bJQ3e3Isj+DCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj +Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+7A6hhF+4kxCv5 +oR9DEpv1gnpGmPpn6i7JfuLGIJ9phQ3bUnSMIx8+mp3JE4SLXINLcyCHilK74tIf +pwYx2K0c2txTFIWLQvBaHWohJ9Sgg4ElVXmSa/b0Nym5FcttdcRgNGd/+DLPs9Tw +ZoieGvJcZWiOBP+xxPbEo2xcoi3GetPN+XSW+m1BvU88Ysrp0o+4+rLPB5iipUB1 +Iksb51SvF4iG4BHfoTKGlHLwVyjJnp7YnYJtjY6Xaw1GbCf6wcwLlq71uoMj39cd +0clncpi/s13K2Sh0YHiCcQD5vIkP9BRmobWAXseBZevYI/rU5dz761EqHf72TRrd +bM3/KycCAwEAAaOCAYgwggGEMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud +DgQWBBTPOzV+XXFm2wEX9j+NxqVXiRBq7TCBjAYDVR0jBIGEMIGBgBQhf6frN9Cj Cx+h3EIGHhFfPNIQFKFepFwwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHjAcBgNVBAMTFXN0cm9uZ1N3 YW4gUkZDMzc3OSBDQYIJAPKv5keyTotGMB0GA1UdEQQWMBSCEnN1bi5zdHJvbmdz d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fcmZjMzc3OS5jcmww RQYIKwYBBQUHAQcBAf8ENjA0MBIEAgABMAwDAwAKAgMFAMCoAAIwHgQCAAIwGAMR -AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAOqdCIldA -mPp2aAWVPBiKXNrk4VJoIGlwZaUtYNxGQ46wUqAro/taKwZd4B1yvwsX/cHX3Y6j -C1mQtiXw9onJm1qJM1a804U9yPcgdI+9RMiU0hA+aVmyMlS6WQsKFubU17qP2Ljd -4hOwVQ681Hi8zfQjJdYpaO1yLcpy2dkotreJS3wA24ssnskRBI/cuAN0dfbV6SDQ -TK91qz0emHoK3efgtvX4oEpsxI4NrwMstaZSVsHn4npKTGYu82dmPoK6WPblGEHZ -Iavl08lGcYBV5I2ZGuWOekWQzUuBSveV3AFjieeaDIG3Ue3AKaihn6dCLz6l+t7E -dXN+1axy9zQ34g== +AP7AAAAAAAAAAAAAAAAAAAIDAwD+wjANBgkqhkiG9w0BAQsFAAOCAQEAgJDWuKCu +7H/K4U7xFRarSKtj9oMAAsq2vLSQqJTUg6fdTnFIlH3OBPcwEzFwVx30QlQyls1p +nHm/cptV/3cxvqCvdnT2dVspJu+9a5D+zZNeLAtWZuyRN6Nlmeqj1Nnp6eEHEBrg +oXMzmAf0ulzIZJsEVYwJSCXm0AMOlyvoIYqKxty3L2VZ1iAU1z15lnFhcvamraGx +k7yaI9ujVR4xQZOOgh05pUrEKaXI3XR1rIoL3NV3ws/JgHch/CQw/If7x4VQmGcD +yJbKkKn0S18TJr0KhPqbM4+inldEwyX/zjGmlHezy0em5qTRYwupFIQNwZZkTXug +NnBR3lf2HB2lWA== -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem index 6e047af69..55f5f8037 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArUeG+hWH98zXhEQJNevi2j1kR4ZKocuXl2755hmXV8Luotho -K2Vof54t8OwKBil75ewMscjGlMr1HqReAs/UmtrHPeu2/mokqRXdoNONDZ35wVzQ -SCJmafndUSYj8iVwlL9VnMeE28QmTseTRimhrOkY+03MUZp6FXmZdQB5U/HhEfx+ -NxKI9u49LdYLtyq1i9XCT3t2PTlV8QJWcb73T54UrO29rAHM0bAZDvFlXuRKI8c3 -IYBXSqsq+FdnRU+eb84SIYICUijy6ehhv/hQwz9rm6wJoD0eBt/z6qqavNq9JSQU -RrTL+n1s4Edqp80/TTbGS1uoEIKh1GvpCCaLKwIDAQABAoIBAHKb86/nm9YPu6B1 -K65phdMZdgFE1oorUenMcid6V7qpaRN2lXfWjAaUxggq5vpqZ9OMjFzu0kHJ99S7 -nJ65fgKqn8vZ42BlLjhUCRH9urb9/Rqi2/RKJHkF1hd9ZZscnlkUMHkRElQVac0D -feqTUKdASdC2BWUYCpW3pwNXO+iD5bA9/wB2J/RYYmm6Qo7UZQU8C0lken/8EOEL -/ch0ID7C5PC0vWvLT0fM9j2JKDq8T6NRhF1MluISGDOp4pW7tEbkHo5I6zD0aPO2 -K9leN3aSUYsOVJk39VXkThwgJ4lqNEXI2xRbtW8sAf7TL1YDxLR2JN3UGvy/By5B -UblJUnECgYEA2nO+iXScKd3qqmHrdXcxf2ExZQr8QgTAsZOkb6LQ9kGQll0lBcFc -T2HlobzOaQktpF44C41zf2QpGDllbpyNT8VyQkI+CJ4pntjtKPkoPkxUeVlciFsm -7THqCGe0zQBWDnXFVfTKR12aRwkhjG+QCQyyaAaV8YztEsDI5SRCjykCgYEAyxAb -t/NTh9DBDrfJCkT21Rm9Ow70vhDaAyQLq3nJMF+BTXYDrnVMmFHCIHd+nbNP0CLs -cV/fWAF6626ko5B6ewPFQ4wXRvtNAiDNZSfeaZgvxCrvoDgVrHWhfwHSXWFqny0o -WHwIJJQvdkLW9BHwbpAQRoD1c2sy7pWIVTEyljMCgYEA0zZXwkUp/FzhWG2moANn -qzZI8N4nOpmnycnrkjiE+6Q27PsQIblrzCDmSnPnyqyiIasrWxgf1Mr95LsR9FmP -U9Ke/6tWmTR7H2e0HgqRO3LHtjCNhBVF1M6O7iN/Lzqk+gQqkUpGDaxVz1rnwgXX -6LgLAwNjFJJiYeBeHRbq98kCgYAwBdg4UbBgf0sY+vftmM+zKAorjGbvCDc25PBp -ljyxVvTSZ+WI/a6mmzdIzFnCW+S1OX0ndt/wBTGXuivvjryYmRSu29OpcscMiMtq -b9pWqKorP2g6QOlHRu5xhfHFKcO4b0qKWpLma7Epy7bgM9njm+htdBQYPrLl37FF -TIRFJwKBgGnZR5rm5iCrcIoAUMlH4/5ye5BPjHDn1NNv7Q7PZR9jhaEuoiBgvk6v -h+YVi9A9nhbaqS4/rumsNPlObeIw78713pendaWCjC4hA0urrJ4fElfuaIyZMyKE -FD64V78iaYVlmwKMJxZUnS1EFzb0XQZM7wxhB/i0wwjh+48rBHbd +MIIEpAIBAAKCAQEA77sDqGEX7iTEK/mhH0MSm/WCekaY+mfqLsl+4sYgn2mFDdtS +dIwjHz6anckThItcg0tzIIeKUrvi0h+nBjHYrRza3FMUhYtC8FodaiEn1KCDgSVV +eZJr9vQ3KbkVy211xGA0Z3/4Ms+z1PBmiJ4a8lxlaI4E/7HE9sSjbFyiLcZ60835 +dJb6bUG9TzxiyunSj7j6ss8HmKKlQHUiSxvnVK8XiIbgEd+hMoaUcvBXKMmentid +gm2NjpdrDUZsJ/rBzAuWrvW6gyPf1x3RyWdymL+zXcrZKHRgeIJxAPm8iQ/0FGah +tYBex4Fl69gj+tTl3PvrUSod/vZNGt1szf8rJwIDAQABAoIBAQDf/YrzXpTva+bn +d7y16wOOORyKh0AUZ9eFk7s8xAZjLEKnqc8nGnEOln39A417AIOWIX8WW85Ac1EB +J5X10ck0JovP5Mh95prK3Egzi3sdzkRQ/MMablb2TUTldQwKIOIyc/lC42zSfQL3 +6Q7Eg4WGAhK2WEwPZNg2AZD4hKz7unK+IAar9uLi39E4iVzDavzwK5y+fsy3HVFD +cJbPWAr4+4teinF5wkRzK7OInwkPc9IrUF/9wp1ZWp/Rc1YEkCVwmu5v7kPzALI0 +SLwYLil8mXfvG0VZjYIlhCSOJJRuw/0JR2cCDJ9WFppK+YKNh+uLoPXhJxbXM8fB +BmCHhpdRAoGBAPpc7DhUQv8mxGCOy9O/ec50GTPj0bWD0WLrJoqvHu+LyN8OwTdG +KMdV4Mp/tpAWbAlKH22/+7P/QCOCwByHQaUisnbkqx+5/JhZsQB7rLAdQ8SHLdj2 +iO2+6cgYPOFm6W4QT7/vl4BHAK4Glw5NPyS5sN9JBTY4bpzFHunsRe27AoGBAPUg +zoUZnZ/6g+8XRSH77aLAbKScMBGusyxfhFAesqaXcrCrg8FG6Wcpuv2HsBE1v0d0 +7/1oJdT+p+uB2V3iZqTOeJeOCVYXgU82NRZl7R8hqYzkD8rFUZVg6hlm2xi+IUpE +ya4itKWIckSvnexEqiBov7k8sPmb7R/7HWGWUOuFAoGADz8PZ5LCDbW3qcWoZfm4 +Gjl5u245PBuN6b82NqXZdW8GyYalf483NoRlTw+d94JWC+7GoTFay6hUqJTyzAn0 +lnDZe2ILhcAWwNRdchEWABeYI+Szhw3kYs4IgJXxRyy0NG6r3J1jlX09bluaYVWU +7dCdE8vnlFi1a7iZXFd2HrcCgYBknEGHqdrjdbw/Hwr2BuQjf91Xtu+X4l+SH+Y7 +yE3FSLX/Q3aBluxntl4Uf2PJvIi0+I8kMGIOyTL827/u4+UDUed3NQop9t3ROEuT +1OP9eiCQPm8o59IzgKK1KF1XC3q4dAFfYslIg/d6r6Ye+pPlV3kRu5Jb8R7jmHsX +uc2ezQKBgQDgouR4ipkb+sQcMKkhzHUEx67aHEVH69v2R9lm8YgPHjvPCA++DgPZ +dwWALnW5wKRfdGy4b1yTIICUgjKIIlD2owJB/J5Z4SzrzbOAEJkNURGAhp6njsf+ +QYRyoXLOb/8jAQqLx9hOB8L2gsRSDddvvYw/DTP2cKM8vJtYFWam+A== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 3243bc294..bf8a4919d 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEojCCA4qgAwIBAgIBAzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEojCCA4qgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzYxMloXDTE0 -MTIyMjEzMzYxMlowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTEzMFoXDTE5 +MTIyMTA4NTEzMFowWTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3 -YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArD8OrNy0w+T2 -cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTrz4FskqN39sFxDFDSre1bps+F7jW/ -zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeBNBk4b6VAIKPaYmO3UIoZZ4SPnnVZ -P7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWYPDOkTS+1sbRQHkgdZvw4fYno+Rd+ -hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8T2zI0aI6L8g57j4cX1XYQwM3tkHM -2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9A0gqmbnF9//wvSmwpDpSkDoHZ5O3 -Ur6HZ8mByQIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFL9rU6QFDLvUOEIFNZROVYWN5v++MIGMBgNVHSMEgYQwgYGAFCF/p+s3 +YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsSlxt8LQf1wJ +u1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1XELjKv3kcYp2McydNPq63fw9XXbu +a/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++e0xxcZS4NQ6wz57bHgARzMoCisNr +xcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5LieSMGIBQjKGCd2a3eZYhTCs6hI0vhQ +Q1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXPuMY1CwZkGcANd6vBK5YBNiZFquBj +FhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN8Xim/AewWRcKJJKdlLAAHmZD0jx2 +g/E0LGu01wIDAQABo4IBcjCCAW4wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFNs9CUs7SNJewkkfo1Bg7bcUEzPXMIGMBgNVHSMEgYQwgYGAFCF/p+s3 0KMLH6HcQgYeEV880hAUoV6kXDBaMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGlu dXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwGA1UEAxMVc3Ryb25n U3dhbiBSRkMzNzc5IENBggkA8q/mR7JOi0YwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry b25nc3dhbi5vcmcwQQYDVR0fBDowODA2oDSgMoYwaHR0cDovL2NybC5zdHJvbmdz d2FuLm9yZy9zdHJvbmdzd2FuX3JmYzM3NzkuY3JsMEIGCCsGAQUFBwEHAQH/BDMw MTAUBAIAATAOAwUACgMAAQMFAMCoAGQwGQQCAAIwEwMRAP7AAAAAAAAAAAAAAAAA -ABAwDQYJKoZIhvcNAQELBQADggEBAHhgG8qqLZX3uXDVX9uBZM8jErI78pyL9F8q -ibTW5UPp+rbbMDY7tphBbFkg5Q0pzJhOzB6I6Oy/QWVVEC20DE7lhOpMu7auS3Gn -z1t6DCIDR9NYXtKs6UXcMA0PSQ1r7iHQWvtZ0uD998k6UQfZCCOwBbonng2DAp/m -FKkaCYiZmJw2YBwf+oVNLQp2fHI61uoguiiRQ4AV5Htho0z6MDqpMyrg2F7Uf2cq -kQY/ZyvMe8VG5KuiaMJPIMdJPnRED2R4qiyHe8eDXgGYHsNhkt7VHRRgo3izqIdG -1oCv+CHQ2XSK+4dA42U0Vw7V/ExmcLy99bZfCEZwNWG6Y/5Qwww= +ABAwDQYJKoZIhvcNAQELBQADggEBAEYqXkheXXHiC5JnrZm5QUo11Vu4CtNRGeg0 +atuG8ZNHgQfa7wjjeCDNpj3lHvyegYsSMo7wGwN7DugH0mmXKZF9XHc4sU7/aUvl +mX52tDuUoCGD0/yFuKLlYOfwmsquC9snYDW7cJXaqMON/OMLcU44OR8E1oiw2ePT +FqyGFbfparp+Q8I7VHwJBs+mDphdNUlFbpuO9m2eEtqdYVyXlfUnbFpMMyWxxIY/ +6CIyWcRRKeWRRXxkk/dSeEWgsfWY7ITK9blP5nhIsgpCoEguGc6h4RL65VdH+Sy0 +9MLpesyGe6qkdrrg4nyaY82uuFXhUo0YiP0ddUw8eNaefFqEzL0= -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem index 275162721..a75622149 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArD8OrNy0w+T2cru3RQgskGCGppwpvLH/QZVHD/UbumxjKVTr -z4FskqN39sFxDFDSre1bps+F7jW/zmOFe7c7jmZhK1mPnbviYTS4LXdo1j02pPeB -NBk4b6VAIKPaYmO3UIoZZ4SPnnVZP7Aj3mU1ztsTbUQqgRmTsdfqiPaBNZ0zylWY -PDOkTS+1sbRQHkgdZvw4fYno+Rd+hDK1scggL4kRg4uGvFojYciSxo5lC53Am4r8 -T2zI0aI6L8g57j4cX1XYQwM3tkHM2BiCRM/c1wQc+vn+xp1oh/GYM4qoSoZyLTD9 -A0gqmbnF9//wvSmwpDpSkDoHZ5O3Ur6HZ8mByQIDAQABAoIBAQCSb+WlFtpjtPPF -JUwxVzqz4Cx510gwkU+GzUemDGdvfZhsWjNEri7FGE70LQ9UPh5vGd2SmtmtZGrW -J4wjWus6LFYuCa1sl4BlzfFLTjqF8XLUm0twJITzfhVf6o3OmiIOSepBNNT5DaE7 -4R8NgxRU8bG5cnuEWF9VklBl8tR04/VHIfTHltt1p69aQ6UoECBLd+/8RBIj+L/P -TzXbgLJn7dT8DrOA9rv1p0G1reADwvclKfag4S/xyC54anRsmMNWQLE0D+QzKL29 -nXqU1wjIHBtgY7uM0svtyrMXiNi0XEBWqDdOMwCZ66TU6eGIzDDevG+q8PXmuW6v -NGxoipcRAoGBANJy4uNj2SnMTdIyoe0wFjmjntKb7DX2Ie0aZr3kygQ7VJUH6w7Z -mZXNhRf8CpaD20lnyqRjhgq1gwOrLZWpAajNPJ6uCHUVSI8+qwdMVdPSZyxRlal9 -gshsGofkiqEGa/5BW4+yDgi1C4BV+lmN8jn4ilKe4JvFGuz+F31ntDXlAoGBANGH -WKCq4u9MCxM2R2ESKkLM+vlTxRB4meMt6iPn9e0yJ1BVXTILRp7hfUwKc4ivI/SO -rc4UA3I5i6QR7TVPOVreqw/CDEmjQLhTSOWY3lHbNz1q53p8Yh6JdytaA4YYgm+I -pFL+Hh/UpPEAY1ZzsSP7KhBd7ViKblz7/Act614VAoGAXTkFJqNpZGmbI3zIXBBM -GBZR2Yu2dCTm3GgwkPfTQVKi4i2Sw45Cyagzx+8fJZOdRQQUMQPhMcc8FRjz5XLr -SEI6EzSWjH70GHgzPNVkw6NVjr1JJb5ye6PfkMj9W91DY2rCS4IdU2AXiy8K6jbF -0UY2x+iXKImEpuzbrPKOUr0CgYB1lHdGyj7JPKomYNpTfecbT34zdi/rG1J4Kybu -eVgHgJKRQSYoVC2QMUen6WGGPYp2za55K7/3VJWpP6oWtVuhQ71I/YL5u9Qw3APX -XB6+Xr80Bw7ZLH2/VzL5r+y0ToK75jkYnaP4BtN8rtQQCqJIZ8TmJF9xxVVDduCq -grlHNQKBgF06eOplOy8W7euuhvEfoxv05ZVjcFv3bFzlYPb0fBfq4Ziw97SzidH9 -Wbq3gujut9gJCKZT6BJfZtqrPeVhWp+S2SD3bDCsjNZLRBEdzdyRB5CpmDE5OQBH -EtzpR4nQa/2RJ7wRP/306PE1sQPtTpNvGIgBIUxWvt5gzyVhO1sG +MIIEpAIBAAKCAQEAsSlxt8LQf1wJu1rDltyU0dEjEqA+TxWQYi+gMakDGmWmFec1 +XELjKv3kcYp2McydNPq63fw9XXbua/jMtmEZdFc/dpWYvsyXfyL0OOhh50PlwN++ +e0xxcZS4NQ6wz57bHgARzMoCisNrxcN0F44S0Zyn8edHkE4XV4c0p+ojB6cw5Lie +SMGIBQjKGCd2a3eZYhTCs6hI0vhQQ1jDLyOvSWo+raa/uDTBYXCVYdN3lbHCPiXP +uMY1CwZkGcANd6vBK5YBNiZFquBjFhIk8SBUkoEkUQMx+pMk3hGmq5aZXGxm9rHN +8Xim/AewWRcKJJKdlLAAHmZD0jx2g/E0LGu01wIDAQABAoIBAQCKdl7HhX5ZHAEL +KjwVq56wgekMhKtOOgdXheuJBJRFTE7LbaI50pkjn72ss8/+yfHQV2o3Vw5K/0oG +nzS4EhnH4Ozb7L2t2c9J8XK5C36BNoLaBMUmLq+3WsnBxhKQopKU1u8ShIwKEgQo +U8NnKYYxx2NHYECBW1dI9IZF+muYbVg420PJ4DiFMSTy5+o+UsI8X0ymV2RYZAfg +qO8WgQYHZca2ffJ4rJHi8wf4IzaH//65vP+Ij7FGzfXmBd3A9F1wP7skBYZRYPp6 +MtZ5cxfNUwkGtkmt1KaEnsmg4F1/jaB0h5+xT4pj6NqaatvoKZ5zd8zpcGktuptO +zhTa63hpAoGBAOkxtwWaJAHj1GH1CzIkCP4siySSgphtcjP96XdcIaTuGx8gp/YU +0Bj3irK3KpVNrcLgc8KzylfMiAETMlRnEb28wSfqkegCR4Lrrsw3YjEAcVPC9Vtb +/wQHc9wUGCt0OUv7EE7alB/cKnjTQzF6ZgTGTUhGv4CuL6XjhEzqiA0bAoGBAMJ8 +5V/wjaDkRDHRtaDI7xX2j4uPE7FoQYCSVtKOil3rmIrmgBCXTtWB8EQ9o3Ux6sOl +lmA3sSF1ajyPu8e2+QhQF9wAF5mvN80aPj0KXKCv6Qx/H6Tjpg3eqVr6rucOyH58 +gKnuo1YISFcjcMkNEOZy6//7SkmAAN/p0Dgk6h71AoGAVKSC9jmY0EbOFDBJvA1w +ZjHs331+ga1YQp7rWzPJ0n/KwGWuEZhEYIuZgH0Tq9XiOFYYLpfr3iqTQzCgmBpB +Skl1IvP1uez53/+EFwQTVA4BFJIzVNHzopbB6yQwEbXCBl4+8SBNm7Lih7DHNvJi +jWEdNBrZ7+9JxEDtCK4oa/kCgYBbaHwd9V97aQ2sJJYq9YV5WyLoQtzMmuV+Wkk4 +OQpLTjmpvuAd7B9/Nc0JJbc3k7h1L9RXcJVt1lOSFzP4j8TH5WzxV5HAB5xAZ78s +zTvvwf3Ug8MJqn0XM7mBKyUdL9OHr1iBhcl62/W0DtIpjFyPEyBcdWza0rCWjLvy +R1dKKQKBgQCKTLKYv0c1h2e5i4mNCGWhR83x+k1ChZZLwoEC9f65tjrbOG0UEHAn +oz9N0m6jCQvnzvN8cHgFl8yoWmnOjEnsSDFQlIRvAXGzHd4ahMB+75WbLi31H2bv +XvZyakeTVfoOVArNUwLSHozr0VIUjnRirLht939dlFj4FLih/igWFA== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem index dffbc67e9..88ce01ed5 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -1,27 +1,27 @@ -----BEGIN CERTIFICATE----- -MIIEoDCCA4igAwIBAgIBBDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEoDCCA4igAwIBAgIBCDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzczNloXDTE0 -MTIyMjEzMzczNlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA4NTQ1N1oXDTE5 +MTIyMTA4NTQ1N1owWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPLwvUPUNIZnbX -eyz8U0COp5RM7ZLFT2iJmSGxznZ30phUNHSy3WX9V8h2kQ2fBks2x0KYWEg8Lh2y -ggZipePRpuHRnZlcll5/HY/YOUgdV2GE6euNiWKcDB6uE51sxZ+on5KasI9EJMdp -hJpytYUFjx6pExsoqWMQLigrT6A4bYogkweOZHiUyHiqgtUQcHnmmKwxgeUAkZCb -00dk7CYnXNQZ1uHj/08TDwrS37SGXfWEIcBGEx/awqlF+s2HTI6zw7NC2HhQsiSp -Yo1nz8TBr/8XnO9KyYUg04TMkcQqBFDt/qiUswLRLapn9HSyd43BxaF+YuvJ1+ip -M4G05K1nAgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQUJ/+79KP+Ea9vdAIMkUYx++cu6R0wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpJKRQ2CEG39rO +8nX7RpY+Ed5tyx+rkug3HrSInie+fgkDnLES2U1X3wvM2OczLp6L1ccROv+SzEW+ +OKfCZSz7T4GLwaRodi9KtHvfOCsbDx/vkFFwui2yt9rVUSpcbk1OiVQsA9R0G6vz +eqFIL9GtrtHWQ+dkvWy61i2A+T1X2QfhVfzvj5msL3CuZU6fnwGYD4LZz8RUGlB4 +WkSFWCctfQfgK+lpfuzq6OFFkARzxZ55D0MzgAvXY6osS8gMdiSD50Zlik7qZVvn +RO0j6TOg0WKinzguAokAyDCsaoqsOvi27QalfH48PUM+aUzHNCKnD6pswebHou3m +mvG3rH+9AgMBAAGjggFxMIIBbTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUsBjPeVTm7TUTaXtmfv09yQS2mV8wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVgRNkYXZlQHN0cm9u Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh bi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNybDBCBggrBgEFBQcBBwEB/wQzMDEw FAQCAAEwDgMFAAoDAAIDBQDAqADIMBkEAgACMBMDEQD+wAAAAAAAAAAAAAAAAAAg -MA0GCSqGSIb3DQEBCwUAA4IBAQBlOlqceKqgr0putV9fUf2vekg5QtZGDtHFUOTH -0gDIe2DJ60bWY5IXpjj2KtzRdoP448fpPaprrh8VEljWoVvAF8LaePKGggqwcG+D -Z7ioDYlnV1j+/NnbZGM/hPqa841dh5jesTuTAF2giMod6P6eMiiRcnl9X3ltgSWp -Ahk5C8CNYw+sISJcCHtFQHdKOM4QN7wAWksvpjMWkSDQgf/rnDUgW8DXAwX/9K4V -G2etJ6/8drpjB115p6h+GYz8xFG28/MSf9BqNX03dBs5oyko2+FgSrb3ACK+pAO4 -Cpi2NKZfUH+M7Loo4baI+f5iavpDjDfar8KTiV610DAp0W2S +MA0GCSqGSIb3DQEBCwUAA4IBAQCNyAyUvqeCgWnPEMkfFFb1kBbd3me3aLRxXFb4 +TY44L6SBiFNy1s3UyFCLw1xXnSMgTpvZqHmB7fnzX7Aj6BNkPFIThEiHYN85ai4t +U9bO2nqwXfIINFt2Qlokd0QWHzDsL/o9Mmqs38ymlfIbsgwh7gCZ2HhGlOb7+QNU +IaDVIcKqBr07wX7qO/fEjKgFSkUT5eFNwQmyT3zUaE1PixK5w1hRxvs/KAsLgbfe +5ofLD88rfxvkqLwhRNU8PUzqIpqxfV1P+wS/k78z0tG+JI8yeEkcksuj9UOzlTr2 +jWL1QoxUEinR3N4dTqsW4u/Jz7R4MHdO+l9RoYZpQA8LV8s3 -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem index e79cbdd9f..f72970c4d 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAzy8L1D1DSGZ213ss/FNAjqeUTO2SxU9oiZkhsc52d9KYVDR0 -st1l/VfIdpENnwZLNsdCmFhIPC4dsoIGYqXj0abh0Z2ZXJZefx2P2DlIHVdhhOnr -jYlinAwerhOdbMWfqJ+SmrCPRCTHaYSacrWFBY8eqRMbKKljEC4oK0+gOG2KIJMH -jmR4lMh4qoLVEHB55pisMYHlAJGQm9NHZOwmJ1zUGdbh4/9PEw8K0t+0hl31hCHA -RhMf2sKpRfrNh0yOs8OzQth4ULIkqWKNZ8/Ewa//F5zvSsmFINOEzJHEKgRQ7f6o -lLMC0S2qZ/R0sneNwcWhfmLrydfoqTOBtOStZwIDAQABAoIBAQCW49qnnl6MMiPH -V6wxsKhJvP6i8Dt+fBDUdbQ2fPmG1teeK/357ojC89XJlGbpNHo+0OxNa65gNe3m -/g+MdOjw3auFMFRrPBBiX7NNdJpy1Brv5DVrhW1N3P3TJfH3MA7RjjYFdyVAKdEZ -pjud41mX7N4VoRacjJDbTeJveLRlowB2gPcxhNZlF6gPP1ZaHwR/b1+0qOTcsxj3 -hqC7zdmMM8UGQ38S3ba7dldlCVAvJgylRX+LPTx5x32wMntaSmBy0cdRqfHtznij -MZQnJiUuAvlQyjCbt0j7jycBZrMfgS+hESHaUG7wdJUraL40hlX2L4RfIyMtriwB -9Xe5fVABAoGBAP3Bphf6k/QxbCrVyyw3Q13MMug63bj3mqhjwOJUoEu+3O4+5Qcw -bIKEOxDFy82lwVHEnYU2tyxVcLBoXP0kMVkrWQIuDSPrneSQxIO1npBZTvBIvWSr -Yh3kJa15zlF4JxljwXfjLskInRlL45gBiG8FbSuDtXTxPJBtlrIHE0lnAoGBANED -/Ct5cocPPTYDGq7FxkGEOFoZM1OTsnL68NmcOhp69uWOAgNCIZEifYBz/SSx1ISJ -QjDdie3BQ0zp2CZe5Fujtz0oT4VPsrJUcND6fZnG79aA2P2S4tXOdVbElB4fOWuT -Sd1WOmgOFAn+B907PsP2BEh2BPO2/eqy3hN38PwBAoGAZzAJ9JJG+/PlAn4xwmcu -k8Pnp5vYcdDuKS93ThIPpP2WJaOZypSca26N/kIQoC2ZMUD8tSEM15Be5L1rotzG -3HXOGh7T5Rl4+WsNHmoKcrR+byOFMJyop3MRBzwS8/oiHCb+k1vkuIcyKwk7IaLt -8geI3zsN3OIEOM73iqlp5F0CgYBbSWFGX4l8oVQ7lcl+kZRQIv41o5H+K6ChhSXR -9OCPlirlAUuxvp1IdQbZJk9mSmCl7gjBrNBDzcel/O/RelpEB9HM3SE1+SPzrNuE -+hIHKpKvXaDnxtJZTQ2EcuC58ysx56c4CyQBNDzeTFuE7Q4xqe4e86SgCMkHS02g -tR7EAQKBgQCRoTsOFcCK2jXBhfcuwcrnrTJmf6LFxW08Mfl9qxKUjz20bx6jgv7f -TrRUHavmVrrGkAc6eTtoa+2cC5ffSBWHeCD48omb+DZGPF54UbEYyRUb5umKbfI3 -M3WiHTTpeTOx2MmPwiAHhPuaWMV9jWkRG01+wIX4HybGYeEAVHE9lg== +MIIEpAIBAAKCAQEA6SSkUNghBt/azvJ1+0aWPhHebcsfq5LoNx60iJ4nvn4JA5yx +EtlNV98LzNjnMy6ei9XHETr/ksxFvjinwmUs+0+Bi8GkaHYvSrR73zgrGw8f75BR +cLotsrfa1VEqXG5NTolULAPUdBur83qhSC/Rra7R1kPnZL1sutYtgPk9V9kH4VX8 +74+ZrC9wrmVOn58BmA+C2c/EVBpQeFpEhVgnLX0H4CvpaX7s6ujhRZAEc8WeeQ9D +M4AL12OqLEvIDHYkg+dGZYpO6mVb50TtI+kzoNFiop84LgKJAMgwrGqKrDr4tu0G +pXx+PD1DPmlMxzQipw+qbMHmx6Lt5prxt6x/vQIDAQABAoIBAB6pVf7X3cgUqqcq +1f9c8idpnDIeU6Tx5h5RqHaLLjjsRG04L0WGVJio2dlv8UAW8nz7eXm3o6L/wHBa +7R0wxzCp7SSfK+sdF+0gPWZG8cxWOeH8vekwYxAtA9eoHAUZ8IrSnsJHIqq+dOfJ +iep/d3j7E9e1CHqEOwd7YXKj1MB3p0Ivhyx0k9GvlbAKRiJPGhbxD+hu86lRMsEt +su6eG5JlvKyBAgNIcx29UITj5k8MbK2MeuCIZfry0yOaOsGkQkjAtyaiTIw8g2IQ +AhuuCLqVYtkpMiIfryV74b+CtQMQoU0z2Z74SZ4hJWFlbeG4Vtzq1HeDf4y1S3mm +B1Mx7CECgYEA9IKw6Fh7SBmJa5jPw7Uttvm2iDslsOR3nrPNOfMWwSK3i0j4OCIE +kCqKnJJfj2JeBupfHrIJzJ2+otGauxQt3I65VOo0PwQBb90xIHAiXdsYoXadB6MC +XUo0zKrDWC0EVyVwN+nyaCJVwsKm4XomHgSvitUSNA0dSTATfPXwQJkCgYEA9Bk1 +VN2KG6Bjcm2ISls+OOKgp2kG68ayG4ZXg+xt06+qsYq0+BwCrottQpXFpMVJbE/z +/6U294PBqJ9Z7LATptMzWhTKyO0pGBHvy8LUz/3qBF7yJFN2s+QbmKf4RIhfSDNU +CD2bPI17Kgj3sipEcbiwz9U6wpzp+IDnAfPdWsUCgYBl/5ri4f5TnmuIGhAZuRvf +552wiNP5TeVkq+bh1LlaSiw9C2yYpgA3T7fRBvKcMtG8msqhWG3kEK305/FfN1TG +XDeN58FxxC8BRkl3GbAMbRiCSqPJCsQyvID4HAgvYWAdJn4ApTQ9Io2aGG9bQgRi +o1vDU40rb4kW/dozV7koiQKBgQDoQgwiweElREkbmejyhzr/OXQPlrmFIjxaQEuJ +NS+TGjTaVda3tT9AAV5m2seCbk3ch37tIrDYdj+QSH9x3F/2fkMAVYRWBoLxai+2 +u51ugnVmz0irE9eAd21ipYBvBStUMbKlXKkWxrAIYRv+JIWXh1qFhqgwgMmHMG+d +xgI62QKBgQC2WYhZvLGrJ5g9G8E9pqOAz0FlxBqbPXJDe9n4Il8huF/+i678covC +dtbo1il8qcs0Lmm8M6vj78Meh+k4L0y7YAjUsaLpQ9rwNaZMHP+GyZWE5ygmtNhE +DP13WKX5SEbDZbClEgX+gHRmywC5m6hDSx21iekhbTfnUm2FQTA83w== -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem index 7f5f8d703..124e2ae46 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -1,28 +1,28 @@ -----BEGIN CERTIFICATE----- -MIIEuDCCA6CgAwIBAgIBATANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ +MIIEuDCCA6CgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEQMA4GA1UECxMHUkZDMzc3OTEeMBwG -A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTA5MTIyMzEzMzM1NloXDTE0 -MTIyMjEzMzM1NlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +A1UEAxMVc3Ryb25nU3dhbiBSRkMzNzc5IENBMB4XDTE0MTIyNzA2NDU0MloXDTE5 +MTIyMTA2NDU0MlowWDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u Z1N3YW4xEDAOBgNVBAsTB1JGQzM3NzkxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dh -bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDTKaLLTmKX45Qm -RjIaBSxBwofzqqkZWtl1mu0cDp6rGWr//hC31OO9MbLeRZBX0UBtuKouceAjdrwG -aK7ChR0Ft+qlLZ6Z9BH2Dna4vTdESsB3Sn+uXuU4WNdwmmJuRBXfl/7h/Rt+34Cs -BP82/RtR4GVpS7u73iSLlN4RaeWdySTqhtYH4cKt1H9MiSbwwomwdLedQo3UoOeU -lkWPrzFKT3gzU4vHr1sgpbF54o/iBr5/YyJpUT9UVeDTffAEMxnAe8/Q/a3pgSLO -wJ3HnSvcSH0w8zuH1YXOtfmqsphkwVBJGiLzUHWlYxVIAoCKdrv4eoSJLqlL5b51 -vGkmL83RAgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV -HQ4EFgQU5zzmRRlKa8+cm1g4RYg4lKNkQz4wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ +bi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYeHiAGNal9DT6 +GgCewdXa4Nf/46YgbhZNmSpi/zH+XmA7JLS6eoVt5vJ/LJEHSzkRoEetptAILenu +uakByawEoPZgkCYZgJB9opGEOoWIwTitaF0ZVV8diNQtnl+rkvwPpxWybvIwOwRA +PUIenoQPkVhfd/ALaRl88pG0rcAW0MMSCNuQwELwSIK2rQALs94Qm5yM0bZ+dqV2 +jnSISit5doRZ4vIYghJPKPqFKb1zUw1siCDPev43S+xqwTjhJ0zncq/QigySyivd +D8qs8KMkan+XNx9XSjW14YWp27RVpIeANlikiHh0/St0lBsR+P9sDp+Yvr+U95EK +KOgrqac3AgMBAAGjggGJMIIBhTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNV +HQ4EFgQUQcvdnqQfLJx2utB9szVLhZCmp84wgYwGA1UdIwSBhDCBgYAUIX+n6zfQ owsfodxCBh4RXzzSEBShXqRcMFoxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51 eCBzdHJvbmdTd2FuMRAwDgYDVQQLEwdSRkMzNzc5MR4wHAYDVQQDExVzdHJvbmdT d2FuIFJGQzM3NzkgQ0GCCQDyr+ZHsk6LRjAeBgNVHREEFzAVghNtb29uLnN0cm9u Z3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEEGA1UdHwQ6MDgwNqA0oDKG MGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbl9yZmMzNzc5LmNy bDBFBggrBgEFBQcBBwEB/wQ2MDQwEgQCAAEwDAMDAAoBAwUAwKgAATAeBAIAAjAY -AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQBVFKeX -QIH5Zk0dp/7u/V0TKqu5vZ9x6ZrshAZ9nzbLgmSP+++yDXmlQe0D0i2Men4D095S -smFqw1nMWM5oEPpP58+jhCOHzn7InMp+SRRBkX2j06wT9qbynAHiIun/qcdq13w1 -Fs0PiKVQZbbz72mwl9J3Hkj/JkLtOX00wMPqIFU6veeagGiwOW7KkehFUVqoD9+O -vgkHnUti2XzgskEGcEWmE1EYv7Qo0OdZB15oNoUV5i8WelfmWO+nz9/QKciATNoC -kAUVcEV9XY9sSKjazdyG6QfEd3l6lQ+KAt8MnqA89i0yIQ1lg+3Jfe67SMvM1gy6 -Y0Y2hqCja6SsIjVc +AxEA/sAAAAAAAAAAAAAAAAAAAQMDAP7BMA0GCSqGSIb3DQEBCwUAA4IBAQAi0XQL +aEHg8aXBiXSTHuvxDieJB3Q83kpXOry16Ij5PKx9cdM2Gtmxz8YkwPEgq0r7vWNo +830A4CnOJszQyIpY7CIygPj1wy3kFGGPkL7R4p00qSKpCEg8Fq85R4LmiyXIEZ+5 +lUtan7xka4ySMKKocm2rbXHyHXjis8AzU7NZN5QpEMkGLTaQPwHad4FUBFOolNE2 +NLoQ3xp9NPTyqfy1CkCHcyG18yRPciU4m8Cubyb+zBHyBADm9Q0P3++vznsU8LrR +pzjRqS0e+FD2bzdXH/2g7Ge8+b6xzWRVMxZ8e2f5O9jQUY6q4SicuAX8SM/bgDPu +Mc/lk4Nl8pHRO+Xm -----END CERTIFICATE----- diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem index 8295f97c1..11607c8cb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA0ymiy05il+OUJkYyGgUsQcKH86qpGVrZdZrtHA6eqxlq//4Q -t9TjvTGy3kWQV9FAbbiqLnHgI3a8BmiuwoUdBbfqpS2emfQR9g52uL03RErAd0p/ -rl7lOFjXcJpibkQV35f+4f0bft+ArAT/Nv0bUeBlaUu7u94ki5TeEWnlnckk6obW -B+HCrdR/TIkm8MKJsHS3nUKN1KDnlJZFj68xSk94M1OLx69bIKWxeeKP4ga+f2Mi -aVE/VFXg033wBDMZwHvP0P2t6YEizsCdx50r3Eh9MPM7h9WFzrX5qrKYZMFQSRoi -81B1pWMVSAKAina7+HqEiS6pS+W+dbxpJi/N0QIDAQABAoIBAQCSHbx1XB8jJSot -teMTWEMAmgCDHrN2RQQ2ueaaxI8MrED7NK4S1rBkCVDRN2ejLLudcOvpyYikYZPI -B4XuOjgT7ejjNYcK1vXawrVqLhxhGCzIHvftC+MnM2qYk2vLCzfriXyomgD9sOCT -p72GKmxOIq1pyCr228eEApYLjLCDlhso3PrCo7recUq7f56rLjvb4gfcfor6mJUd -yIppZUnDFJnsRXup1G4L9Y9RNYtlkcDqem/Q49d5+AHCYH6R8YI0Iz3JnzZjalsq -+IA6RJqHBTeOpiyCmHlUmVE/3YUm8n7w7RRngMOLjKdiTKHT+8EcHmyUorqW3Yea -zCIe5C6FAoGBAO23egrSbamyWXcIOqx1GX9gzYmQ2nSKYUtRhsE8eNErw0zp4FKv -AA7CAmoWEzjDJPSkUzDAajoZiH8+DIZ4IkwKbYjtq0vr1yCbx/PBKVN/JHGZ/Ao/ -dc/lQrNseza34NBrREN/gUytjefFMJ4YStSZCMuy3gP1Fqk6YCy/dObbAoGBAONn -UqjmZYqoK0+jnGWdPOtXZ4bu8UoHc8/1MaVn3pq8bYh3PayFKpDKtcD1ZeXHCxL2 -1Y+Eid/DoZ2/RZbxT2mhi2mVZZCWc0xuML3Vz0B9bqi3ZfRLVP2u87fn//mGrD+9 -yy9PeIBv8UvjOhev6hZDBhPAVMsyjiw+wSX6kW/DAoGBAMBcrbSeLcGZok3xadFu -fPCXvBtrDWwrIqpZUauDLN1PBZ5yz2T5WhmXI28HaAyR1ZDmfK9BtXRIfy1AX9Bc -3JweAB9C/E/Wi+JGTVrR34hCpZIMImmEiuhtxDj/OwG/cHwXoUjhoBcVhnScHEiC -reM152k21/Pp26mbpIHxeD7rAoGAaRy4S5P7uaTUKEKzJxEQOKQ1GVzXMWXSdXyb -zx38+j9AzgR4AIepTjY03xVPXW+swb5Qpr8Xz9Oon7bq3sN59pSSUWKaCMRSVTDV -3Nm4q9GO1fO377zmc0BsLUTSwC8s7WW4Ro0QYSXdPjuw/YP1ywZ+B6EuUKJ0ryTu -uLRih2sCgYBm15N97b7Rp+aAti045iBla9/KH8z7szczIndpFWR4wjaI9tt0i9GR -OZs7LFq0MYdg8JiXITyVcuqsUbdAP3TvsXGDHdatbDcrXM/DYuP6dPqMuGBKdnEn -gIFT1z8mhv4Im3JKpuckMrIQ5vWhljcRZgiEJYZfEAkLJo7ePG2VzA== +MIIEowIBAAKCAQEA2Hh4gBjWpfQ0+hoAnsHV2uDX/+OmIG4WTZkqYv8x/l5gOyS0 +unqFbebyfyyRB0s5EaBHrabQCC3p7rmpAcmsBKD2YJAmGYCQfaKRhDqFiME4rWhd +GVVfHYjULZ5fq5L8D6cVsm7yMDsEQD1CHp6ED5FYX3fwC2kZfPKRtK3AFtDDEgjb +kMBC8EiCtq0AC7PeEJucjNG2fnaldo50iEoreXaEWeLyGIISTyj6hSm9c1MNbIgg +z3r+N0vsasE44SdM53Kv0IoMksor3Q/KrPCjJGp/lzcfV0o1teGFqdu0VaSHgDZY +pIh4dP0rdJQbEfj/bA6fmL6/lPeRCijoK6mnNwIDAQABAoIBAAutG9rU/CcBcCYZ +ZvUpQW7H9/6uedR/+6X94AJs/3ZYAtrN1Q3F9BKEhYoEjmIVVaO0wIkGWWxHhbnB +u/MDvMqXIBL/U37Gp4SPU0gNnAxPV85KtdLa/wFp0wAO7dwkVoJFoe74+wlM9aK9 +ayaZqEfqsBieMI19Asnxj5huUtEoIiU9ekz6HLeALwy6OxJLrempDugDe2icaWSt +pLIU3ZXmzVbOFLNtq+KMpanQzamAvSTUq5Wmuz+C6nTEv+JjGWFblX8pM2ACA6cV +VouefUFfKpMXjHTlsvw0JiDzLeYRxRZZMxnTxzbnoigZfW6ZDxP2w9KRv/7LuSj/ +ktqfVKkCgYEA8qlkPka0cfIKcjloe6oNEMt0dX6V+5LmS59DRnnhu+6FuIVncS7/ +intBGag603wJvGlA7HuUAZbcr4ilDIe1cUm0d8rftjvw0uOBU/gfNVmxhpFzs8Ku +4Fry6lKow1ecqFQ1i4VZi2qQJVv3m6tRojMTh6xVA9/FLD9iiu3V2dMCgYEA5F6I +HV1sqY2Q8aU48dch+I1ItrqiURwY7qejuIprpXBoRQPQV3OoYgJcKtdlSKrbDGQd +iJmL0aoy/ONThrfOtygQtth/f79ktKZZHja8Ew+0/lzfxMSb69kl6Rxx9OKJILPE +caezhYFGozEKwLddcrqxrSd3Fvz78CVRRiAx2o0CgYEA4g0wh98f24Hpf0zBa2oX +b8zIOWfp2giXply/tBh4U7S4NxN3MHXisaNuGrOf0UEcZLr8MxBP6UcbYB3/+vM0 +8EsD5hBEZKPkDODIqmtazz015jD7QrsaY3/2CJlmA0tLcXe4xbc8mmZzz4mj2Q04 +J8xC5kGAlPJQ4I5PgzJZ4+cCgYAHyqHiPpnCfy3+0KBMwAZMsKVWdq+rDMZc/iM7 +3J0nm9oy4JpvIWcRUPtMCuVNwWaP2aqYSoTWtnPe5PKomgTXgupvEpvnA+SvtS09 +NqjcDaEjPI/16q9XMKV2ep34uPHsx7VgG1SorWx3jOjNAnSRwYTmX35UrnT6EIvh +VJ/e0QKBgCgI41QtJ4ShFxpSdxzy3Gfz/EFTUGIjtmXQe/7GixxoXJkpGXCGhToU +KVF+HUEYKOQ1vX9SNUyY+1LyqO3vj+QzuJ0q4GrtEY7vxDH817QvJLecj5i22Hof +50MqUdow2BnOSFuJvWhR1DdodRX3vh1awod/CoIufnfEI4MuMO6H -----END RSA PRIVATE KEY----- diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown index aea6d8555..7c510261d 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown index aea6d8555..7c510261d 100755 --- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown index 1a68ada0e..1b362e65c 100755 --- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown +++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -421,6 +253,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -445,6 +285,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -484,6 +331,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -527,6 +383,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -543,16 +406,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat index d59ea3c34..3a9493ba3 100644 --- a/testing/tests/libipsec/rw-suite-b/evaltest.dat +++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat @@ -1,8 +1,8 @@ carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES +dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown index 15c239466..7d0c583b3 100755 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown +++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown @@ -1,5 +1,5 @@ -#! /bin/sh -# iproute2 version, default updown script +#!/bin/sh +# default updown script # # Copyright (C) 2003-2004 Nigel Meteringham # Copyright (C) 2003-2004 Tuomo Soini @@ -22,8 +22,6 @@ # that, and use the (left/right)updown parameters in ipsec.conf to make # strongSwan use yours instead of this default one. -# things that this script gets (from ipsec_pluto(8) man page) -# # PLUTO_VERSION # indicates what version of this interface is being # used. This document describes version 1.1. This @@ -41,15 +39,17 @@ # is the name of the connection for which we are # routing. # -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# # PLUTO_INTERFACE # is the name of the ipsec interface to be used. # # PLUTO_REQID -# is the requid of the ESP policy +# is the requid of the AH|ESP policy +# +# PLUTO_PROTO +# is the negotiated IPsec protocol, ah|esp +# +# PLUTO_IPCOMP +# is not empty if IPComp was negotiated # # PLUTO_UNIQUEID # is the unique identifier of the associated IKE_SA @@ -66,15 +66,6 @@ # host's own IP address / max (where max is 32 for # IPv4 and 128 for IPv6). # -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# # PLUTO_MY_SOURCEIP # PLUTO_MY_SOURCEIP4_$i # PLUTO_MY_SOURCEIP6_$i @@ -88,7 +79,8 @@ # # PLUTO_MY_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on our side. +# restricted on our side. For ICMP/ICMPv6 this contains the +# message type, and PLUTO_PEER_PORT the message code. # # PLUTO_PEER # is the IP address of our peer. @@ -96,31 +88,19 @@ # PLUTO_PEER_ID # is the ID of our peer. # -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# # PLUTO_PEER_CLIENT # is the IP address / count of the peer's client sub- # net. If the client is just the peer, this will be # the peer's own IP address / max (where max is 32 # for IPv4 and 128 for IPv6). # -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# # PLUTO_PEER_PROTOCOL # is the IP protocol that will be transported. # # PLUTO_PEER_PORT # is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. +# restricted on the peer side. For ICMP/ICMPv6 this contains the +# message code, and PLUTO_MY_PORT the message type. # # PLUTO_XAUTH_ID # is an optional user ID employed by the XAUTH protocol @@ -146,7 +126,7 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" export PATH -# uncomment to log VPN connections +# comment to disable logging VPN connections to syslog VPN_LOGGING=1 # # tag put in front of each log entry: @@ -160,21 +140,11 @@ FAC_PRIO=local0.notice # # local0.notice -/var/log/vpn -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - # check interface version case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. +1.[0|1]) # Older release?!? Play it safe, script may be using new features. echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 + echo "$0: called by obsolete release?" >&2 exit 2 ;; 1.*) ;; @@ -196,190 +166,52 @@ custom:*) # custom parameters (see above CAUTION comment) ;; esac -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi +IPSEC_POLICY="-m policy --pol ipsec --proto $PLUTO_PROTO --reqid $PLUTO_REQID" +IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" +IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi +# use protocol specific options to set ports +case "$PLUTO_MY_PROTOCOL" in +1) # ICMP + ICMP_TYPE_OPTION="--icmp-type" + ;; +58) # ICMPv6 + ICMP_TYPE_OPTION="--icmpv6-type" + ;; +*) + ;; +esac # are there port numbers? if [ "$PLUTO_MY_PORT" != 0 ] then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + S_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + D_MY_PORT="$ICMP_TYPE_OPTION $PLUTO_MY_PORT" + else + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" + fi fi if [ "$PLUTO_PEER_PORT" != 0 ] then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" + if [ -n "$ICMP_TYPE_OPTION" ] + then + # the syntax is --icmp[v6]-type type[/code], so add it to the existing option + S_MY_PORT="$S_MY_PORT/$PLUTO_PEER_PORT" + D_MY_PORT="$D_MY_PORT/$PLUTO_PEER_PORT" + else + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" + fi fi # resolve octal escape sequences PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` -# the big choice case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; up-host:) # connection to me coming up # If you are doing a custom version, firewall commands go here. @@ -395,7 +227,7 @@ down-host:) # connection to me going down # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_ME $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ @@ -406,8 +238,8 @@ up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. PLUTO_INTERFACE=ipsec0 - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT @@ -444,7 +276,7 @@ down-client:) if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] then iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ -s $PLUTO_MY_CLIENT $S_MY_PORT \ @@ -462,6 +294,14 @@ up-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed) + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection setup if [ $VPN_LOGGING ] then @@ -486,6 +326,13 @@ down-host:iptables) -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec host connection teardown if [ $VPN_LOGGING ] then @@ -525,6 +372,15 @@ up-client:iptables) -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT fi # + # allow IPIP traffic because of the implicit SA created by the kernel if + # IPComp is used (for small inbound packets that are not compressed). + # INPUT is correct here even for forwarded traffic. + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection setup if [ $VPN_LOGGING ] then @@ -568,6 +424,13 @@ down-client:iptables) $IPSEC_POLICY_OUT -j ACCEPT fi # + # IPIP exception teardown + if [ -n "$PLUTO_IPCOMP" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p 4 \ + -s $PLUTO_PEER -d $PLUTO_ME $IPSEC_POLICY_IN -j ACCEPT + fi + # # log IPsec client connection teardown if [ $VPN_LOGGING ] then @@ -584,16 +447,6 @@ down-client:iptables) # # IPv6 # -prepare-host-v6:*|prepare-client-v6:*) - ;; -route-host-v6:*|route-client-v6:*) - # connection to me or my client subnet being routed - #uproute_v6 - ;; -unroute-host-v6:*|unroute-client-v6:*) - # connection to me or my client subnet being unrouted - #downroute_v6 - ;; up-host-v6:) # connection to me coming up # If you are doing a custom version, firewall commands go here. diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..4d99866f7 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAyi9jPdS7ugWGIVsVoDEvc/UzEk8LM5ua4Tu2SLArTEaODwHm +MPvvkhl7dwj12//qfklihpZtdazxO9XkN3oYIdgt4QLq35ljtIkEGgsPn3a3niFQ +qjkCDj+lKmd9u4ecmGKR5PFUL+LwSU6cXJVNT6p1oXqntWZS8bFu+9y0Zpf30Lf1 +ILyZAgU2WTjSzTHyvu0w52GlbALZ3ILwze/J1DRHtqmPdiiu0qwSekqVBIOPZudR +fl4LBnLIFlR0vOaJ9zpvxuPHKyxFSY3bvAsXsEkVYG/pTyVsx3fELFNFYP+75arN +2UTMjbTSq6+KKUr1WwOmoBpU14Qwq3g4l1PChwIDAQABAoIBACBFB/Xqajv6fbn9 +K6pxrz02uXwGmacXAtVIDoPzejWmXS4QA4l17HrJDmelSnhelDKry8nnYHkTrTz7 +mn0wQ4HDWy86o/okJUG/TKRLd6bf79aRQqqohqd3iQkHk43GyzuXH+oGioVKF0fc +ACDWw4wfjL7FMNdHCZ4Bz9DrHO/ysHe9B6rvSYm3VZRhSxaneIkaLkkDadKpVx3f +XNFlMxY4qKPJYYSoJZ61iMqrO7+rnA93tmyDDs8PKU3BtnpfNrdePgleJHhk8Zqy +Ev2/NOCSUxbKE8NCtLpGTs+T0qjjnu4k3WPd3ZOBAan0uPDekHZeHB/aXGLhYcxx +J5SurqECgYEA+F1gppkER5Jtoaudt/CUpdQ1sR9wxf75VBqJ4FiYABGQz9xlG4oj +zL/o572s0iV3bwFpnQa+WuWrxGkP6ZuB/Z82npc0N/vLou/b4dxvg4n7K+eOOEf0 +8FMjsse2tqTIXKCqcmQnR0NPQ1jwuvEKsXP5w/JOlnRXAXnd4jxsJI0CgYEA0GaT +61ySttUW9jC3mxuY6jkQy8TEQqR3nOFvWwmCXIWOpN/MTTPus+Telxp/pdKhU+mo +PmX3Unyne5PvwleWDq3YzltX5ZDZGJ5UJlKuNnfGIzQ6OcHRbb7zBpQG6qSRPuug +bgo688hTnb1L59nK88zWVK45euf6pyuoI+SwIGMCgYEA7yvE8knyhBXvezuv0z1b +eGHmHp5/VDwY0DQKSEAoiBBiWrkLqLybgwXf/KJ8dZZc8En08aFX2GLJyYe/KiB1 +ys3ypEBJqgvRayP+o/9KZ+qNNRd0rqAksPXvL7ABNNt0kzapTSVDae3Yu6s/j1am +DIL5qAeERIDedG5uDPpQzdUCgYB7MtjpP63ABhLv8XbpbBQnCxtByw3W89F+Xcrt +v55gQdhE4cSuMzA/CuMH4vNpPS6AI9aBJNhj3CtKo/cOJachAGb1/wvkO5ALvLW0 +fhZdPstUTnDJain7vfF/hwzbs/PlhXgu9T9KlLfRvXFdG+Sd4g8mumRiozcLkoRw +y6XPTwKBgDJP+s9wXmdG90HST/aqC7FKrVXLpB63dY5swNUfQP6sa0pFnON0r0JC +h/YCsGFFIAebQ2uOkM3g3f9nkwTp7910ov+/5uThvRI2w2BBPy0mVuALPjyyF1Z2 +cb9zpyKiIuXoXRCf4sd8r1lR9bn0Fxx0Svpxf+fpMGSI5quHNBKY +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem new file mode 100644 index 000000000..d8fad9aad --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA35VUimfpDmNpT/8Q3qnoDlxJ9R+EErSYVraVoUVmH9jSHroB +eqqtDdf3XuHtg2xKTryijBj2H0jeA7HuE1UGwmvZWN1gL5vSrk1OFrT38DmaKa/+ +mtiPqjTJrDGg+OgOz1iHsPsp/4Xx+SCTSy2Ucllfront02sVduDXEGV34Snk6vYV +sRn1BZSlFBO6F2k23/j1i7FDn0N6Zj0hFvCysoIcfSYasmwN2p5vRqn7xC9JceMK +3V+v0w0pZoAUBAspAjh7R1rWe08IRAt4Tzff401EGAa5+TQqoZPd4BeqvFr0AQhQ +mdVw97FB2pQyNxSlcVvxY3NFYHwSCHcEMroWwQIDAQABAoIBADH51hjN2zk9HVgl +QmcTAWzcUie5cLMhrP+M9mtC8O3jcCwwFY6OwfnbMU8DHy0GMqHg5lB8b99UUVPw +HLAzjDw/ESkc6pgZs4EEhJTsxJLsvTnePgHssEgyXnXf7gRVEqJkPohfy+Zy0UCH +eIUQXiMlOQ7xg7iDMhwNa+UdWSt539DztSKilQn2xdPZjFnMT0/prvl4NA/8Zn54 +/SdWDq5yRdLWb6EK1V7yJ3687GXR1jzGtgy7TXuncUJVTYgX7RdP1Tn6gWD8YAQ/ +RfT0DdWYm4WHSgSb9/NW8lBZH2yy3hg+lNgofXEvTfBkO5QyW31LIr0tCV6zhJIc +Y9MxaKUCgYEA9sktaXfhPLe0ECjdeQEOq5EKuDrCviSKCOuAV4BDSOsdw6+5LWfY +Vb/oke8N70lL3RCblcj1pOKWUi2O/SpEJdDRduiw2gM9cXt3/bChSTHC4TsIxxN/ +Db9OGg72kZ4sRY5Au+zyAAQYBwXhFWux194Jk5qK0JblNG9J5QMqZDcCgYEA5+5h +BgHUMEO+pdME5lAiSc5PcNTejpA6j+OikCh4/HFXy3C/dLx+Cs1+egw64c8iVaIv +NEo7n7E9I0e3XqanPRXhMnBRrP+39OVsWPmZ18Li2Hi84KwJyi8Y11l3XJOqaYpF +wMVUuZpxR0dfG5k/5GwT/tEkmQBglOgG3m2zUMcCgYEA4m3Vd9ahV5dp5AXKpzKc +JjiPMFfhxJo7+FEz0ZUCp03qYljBu/Jy4MKS/grrqyiCLdQGHNlk4SNxLvdUId78 +5gGBnuuDEJU2dAAIKUE9yq2YlBUZSacOxStI2snt28/X6P3LUWHm7LLU5OS1D3Vf +mKPF/6MlSJuas5CEqVZNN+MCgYBH9Qh7IaQgmVQUBKVXg3Mv7OduvUyTdKIGtHxi +N3xZ7hxsDP4JjNWaKmlcGmFGX8pqQRheI83d3NJ4GK8GmbP3Wst0p65fezMqsudr +r30QmPFicgs/tYCQDw6o+aPzwAi2F+VOSqrfrtAIaldSq7hL+VA21dKB+cD9UgOX +jPd+TwKBgQCbKeg2QNS2qhPIG9eaqJDROuxmxb/07d7OBctgMgxVvKhqW9hW42Sy +gJ59fyz5QjFBaSfcOdf4gkKyEawVo45/q6ymIQU37R4vF4CW9Z3CfaIbwJp7LcHV +zH07so/HNsZua6GWCSCLJU5MeCRiZzk2RFiS9KIaLP4gZndv4lXOiQ== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat index 0110bb996..55ac10935 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-certs/evaltest.dat @@ -6,9 +6,9 @@ carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index 4a5e52dbd..d94b17950 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -2,4 +2,5 @@ charon { load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown + signature_authentication = no } diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat index 8a4215dcc..2d7324a9a 100644 --- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat +++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/evaltest.dat @@ -2,10 +2,10 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon. dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES -moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful::YES -carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES -dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES +dave:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA_WITH_SHA512_DER successful::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat index 7169a091d..a0831f746 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/evaltest.dat @@ -1,7 +1,7 @@ dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA256_DER successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat index 57cbee1d4..200ec3cfb 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/evaltest.dat @@ -1,7 +1,7 @@ dave:: cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES -moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-384 signature successful::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA_WITH_SHA384_DER successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat index e1d33feb7..73173f06b 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/sql/rw-eap-aka-rsa/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat index 1648c9557..1206ea4b7 100644 --- a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat @@ -1,6 +1,6 @@ moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA.* successful::YES carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES diff --git a/testing/tests/swanctl/net2net-cert-ipv6/description.txt b/testing/tests/swanctl/net2net-cert-ipv6/description.txt deleted file mode 100755 index 5952ecc2d..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. -It connects the two subnets hiding behind their respective gateways. The authentication is based on -X.509 certificates. Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> -automatically inserts ip6tables-based firewall rules that let pass the tunneled traffic. -In order to test both the net-to-net tunnel and the firewall rules, client <b>alice</b> behind <b>moon</b> -sends an IPv6 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping6 command. diff --git a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat b/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat deleted file mode 100755 index cdbecd553..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf deleted file mode 100755 index bd131af39..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici - - fragment_size = 1400 -} - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100755 index 16e145cd7..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - gw-gw { - local_addrs = fec0::1 - remote_addrs = fec0::2 - - local { - auth = pubkey - certs = moonCert.pem - id = moon.strongswan.org - } - remote { - auth = pubkey - id = sun.strongswan.org - } - children { - net-net { - local_ts = fec1::0/16 - remote_ts = fec2::0/16 - - start_action = none - updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 - } - } - - version = 2 - mobike = no - fragmentation = yes - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 - } -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf deleted file mode 100755 index bd131af39..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem pkcs1 x509 revocation constraints pubkey openssl random -} - -charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici - - fragment_size = 1400 -} - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf deleted file mode 100755 index 90aa137f0..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/hosts/sun/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,35 +0,0 @@ -connections { - - gw-gw { - local_addrs = fec0::2 - remote_addrs = fec0::1 - - local { - auth = pubkey - certs = sunCert.pem - id = sun.strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - net-net { - local_ts = fec2::0/16 - remote_ts = fec1::0/16 - - start_action = none - updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 10m - esp_proposals = aes128gcm128-modp2048 - } - } - - version = 2 - mobike = no - fragmentation = yes - reauth_time = 60m - rekey_time = 20m - proposals = aes128-sha256-modp2048 - } -} diff --git a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat b/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat deleted file mode 100755 index a40a7dd2f..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/posttest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::service charon stop 2> /dev/null -sun::service charon stop 2> /dev/null -alice::"ip route del fec2:\:/16 via fec1:\:1" -moon::"ip route del fec2:\:/16 via fec0:\:2" -sun::"ip route del fec1:\:/16 via fec0:\:1" -bob::"ip route del fec1:\:/16 via fec2:\:1" -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush -moon::ip6tables-restore < /etc/ip6tables.flush -sun::ip6tables-restore < /etc/ip6tables.flush diff --git a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat b/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat deleted file mode 100755 index 36e8e1999..000000000 --- a/testing/tests/swanctl/net2net-cert-ipv6/pretest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon::iptables-restore < /etc/iptables.drop -sun::iptables-restore < /etc/iptables.drop -moon::ip6tables-restore < /etc/ip6tables.rules -sun::ip6tables-restore < /etc/ip6tables.rules -alice::"ip route add fec2:\:/16 via fec1:\:1" -moon::"ip route add fec2:\:/16 via fec0:\:2" -sun::"ip route add fec1:\:/16 via fec0:\:1" -bob::"ip route add fec1:\:/16 via fec2:\:1" -moon::service charon start 2> /dev/null -sun::service charon start 2> /dev/null -moon::sleep 1 -moon::swanctl --load-conns 2> /dev/null -sun::swanctl --load-conns 2> /dev/null -moon::swanctl --load-creds 2> /dev/null -sun::swanctl --load-creds 2> /dev/null -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat index d8d44dff6..de50ab32b 100644 --- a/testing/tests/tkm/host2host-initiator/evaltest.dat +++ b/testing/tests/tkm/host2host-initiator/evaltest.dat @@ -10,3 +10,7 @@ moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::DAEMON_NAME=charon-tkm ipsec down conn1 && sleep 1::no output expected::NO +moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES +moon::cat /tmp/tkm.log::Resetting ESA context 1::YES +moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat index 7c8c6b24a..f5143f19a 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat @@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat index 8e0042102..1f0c88b53 100644 --- a/testing/tests/tkm/multiple-clients/evaltest.dat +++ b/testing/tests/tkm/multiple-clients/evaltest.dat @@ -15,8 +15,7 @@ dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES -sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES -sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES +sun::cat /tmp/tkm.log | grep "Checked CA certificate of CC context 1" | wc -l::2::YES sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat index a38dba0ee..98eff247f 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat +++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat @@ -5,6 +5,7 @@ sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES diff --git a/testing/tests/tkm/xfrmproxy-expire/description.txt b/testing/tests/tkm/xfrmproxy-expire/description.txt new file mode 100644 index 000000000..9578cd8f3 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/description.txt @@ -0,0 +1,6 @@ +A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up. +The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM +proxy, which relays XFRM kernel messages to charon. The authentication is based +on X.509 certificates. The connection is initiated by a ping from <b>moon</b> +to <b>sun</b>. The test asserts that XFRM expire messages from the kernel are +handled correctly. diff --git a/testing/tests/tkm/xfrmproxy-expire/evaltest.dat b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat new file mode 100644 index 000000000..96b486a07 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/evaltest.dat @@ -0,0 +1,22 @@ +moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES +sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /var/log/daemon.log::ees: acquire received for reqid 1::YES +moon::cat /var/log/daemon.log::ees: expire received for reqid 1, spi.*, dst 192.168.0.2::YES +moon::cat /var/log/daemon.log::creating rekey job for CHILD_SA ESP/0x.*/192.168.0.2::YES +moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES +moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Creating first new ESA context with ID 1 (Isa 1, Sp 1, Ea 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES +moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 1, Sp 1, Ea 1, Dh_Id 1, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*, spi_rem.*)::YES +moon::cat /tmp/tkm.log | grep 'Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 2, hard 60 \]' | wc -l::2::YES +moon::cat /tmp/tkm.log::Resetting ESA context 1::YES +moon::cat /tmp/tkm.log::Deleting SA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES +moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES +moon::cat /tmp/xfrm_proxy.log::Initiating ESA expire (reqid 1, proto 50, SPI.*, hard FALSE)::YES diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cc9d6e072 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-tkm { + dh_mapping { + 15 = 1 + 16 = 2 + } +} diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der Binary files differnew file mode 100644 index 000000000..d3748930a --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/moonKey.der diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der Binary files differnew file mode 100644 index 000000000..a5a631f4b --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/strongswanCert.der diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 000000000..23e958ab0 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,21 @@ +<tkmconfig> + <local_identity id="1"> + <identity>moon.strongswan.org</identity> + <certificate>moonCert.pem</certificate> + </local_identity> + <policy id="1"> + <mode>transport</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.1</ip> + </local> + <remote> + <identity>sun.strongswan.org</identity> + <ip>192.168.0.2</ip> + </remote> + <lifetime> + <soft>2</soft> + <hard>60</hard> + </lifetime> + </policy> +</tkmconfig> diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..e52a04f42 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + right=PH_IP_MOON + rightid=moon.strongswan.org + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + type=transport + auto=add diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f585edfca --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/tkm/xfrmproxy-expire/posttest.dat b/testing/tests/tkm/xfrmproxy-expire/posttest.dat new file mode 100644 index 000000000..99efe7b00 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/posttest.dat @@ -0,0 +1,5 @@ +moon::DAEMON_NAME=charon-tkm ipsec stop +moon::killall xfrm_proxy +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log +sun::ipsec stop diff --git a/testing/tests/tkm/xfrmproxy-expire/pretest.dat b/testing/tests/tkm/xfrmproxy-expire/pretest.dat new file mode 100644 index 000000000..d645ddbfe --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/pretest.dat @@ -0,0 +1,12 @@ +sun::ipsec start +moon::rm /etc/ipsec.secrets +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/ipsec.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::DAEMON_NAME=charon-tkm ipsec start +moon::expect-file /tmp/tkm.rpc.ees +moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & +moon::DAEMON_NAME=charon-tkm expect-connection conn1 +sun::expect-connection host-host +moon::ping -c 3 192.168.0.2 diff --git a/testing/tests/tkm/xfrmproxy-expire/test.conf b/testing/tests/tkm/xfrmproxy-expire/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat index d93407434..b9eee4f57 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO diff --git a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat index e22b767f7..224807860 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat index e22b767f7..224807860 100644 --- a/testing/tests/tnc/tnccs-11-radius/evaltest.dat +++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat @@ -1,8 +1,8 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES diff --git a/testing/tests/tnc/tnccs-20-fail-init/description.txt b/testing/tests/tnc/tnccs-20-fail-init/description.txt new file mode 100644 index 000000000..91fbbaad9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b> +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface +compliant with <b>RFC 5793 PB-TNC</b>. +<p/> +Unfortunately <b>carol</b> sends her first PB-TNC batch with a wrong version number and +<b>dave</b> sends a PB-TNC message not supported by <b>moon</b> with the NOSKIP flag set. +Therefore both connection setups fail due to fatal PB-TNC errors. diff --git a/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat new file mode 100644 index 000000000..4cbf60ff7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat @@ -0,0 +1,10 @@ +moon:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES +carol::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES +carol::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::reject PB-TNC message (0x00902a/0x00000000)::YES +dave:: cat /var/log/daemon.log::received fatal PB-TNC error.*Unsupported Mandatory Message::YES +dave::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e2bf349d9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..fcd224651 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + + multiple_authentication = no + + plugins { + tnccs-20 { + tests { + pb_tnc_version = 3 + } + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..bfa666761 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..504408488 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..76f413722 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf @@ -0,0 +1,26 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + tnc-imc { + preferred_language = ru, pl , de + } + tnccs-20 { + tests { + pb_tnc_noskip = yes + } + } + } +} + +libimcv { + plugins { + imc-test { + command = isolate + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..bfa666761 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..e21ef0d14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9c13fcb67 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf @@ -0,0 +1,23 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} + +libimcv { + plugins { + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..61b141062 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan client + +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat new file mode 100644 index 000000000..b757d8b15 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat new file mode 100644 index 000000000..38c651328 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat @@ -0,0 +1,12 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf new file mode 100644 index 000000000..3c8e3996f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-fail-resp/description.txt b/testing/tests/tnc/tnccs-20-fail-resp/description.txt new file mode 100644 index 000000000..0aa07193c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/description.txt @@ -0,0 +1,9 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b> +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the client doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> via the <b>TNCCS 2.0 </b> client-server interface +compliant with <b>RFC 5793 PB-TNC</b>. +<p/> +Unfortunately <b>moon</b> sends his first PB-TNC batch with a wrong version number . +Therefore the connection setup fails due to a fatal PB-TNC error. diff --git a/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat new file mode 100644 index 000000000..df4bdc857 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat @@ -0,0 +1,5 @@ +carol:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES +moon::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES +moon::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e2bf349d9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ed6d6f718 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + + multiple_authentication = no +} + +libimcv { + plugins { + imc-test { + command = allow + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..bfa666761 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..e21ef0d14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..626731f58 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + tnccs-20 { + tests { + pb_tnc_version = 3 + } + } + } +} + +libimcv { + plugins { + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..61b141062 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan client + +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat new file mode 100644 index 000000000..80ce1a125 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat @@ -0,0 +1,4 @@ +carol::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat new file mode 100644 index 000000000..6947c4bdf --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf new file mode 100644 index 000000000..e8430743e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/description.txt b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt new file mode 100644 index 000000000..6c79b8c49 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/description.txt @@ -0,0 +1,3 @@ +The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements over IKEv2-EAP +using the PA-TNC, PB-TNC and PT-EAP protocols. The authentication is based on +X.509 certificates. diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat new file mode 100644 index 000000000..0ef7b5d7d --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat @@ -0,0 +1,11 @@ +moon::cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +moon::cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES +sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..47a0283dc --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 2, imv 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=moon.strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_SUN + rightid=sun.strongswan.org + rightsendcert=never + rightauth=any + auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..953e7fcea --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,26 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + + multiple_authentication = no + plugins { + eap-ttls { + phase2_tnc =yes + } + tnccs-20 { + mutual = yes + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..c20bce930 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 2, imv 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + right=PH_IP_MOON + rightid=moon.strongswan.org + rightauth=eap-ttls + rightsendcert=never + auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..570126a0e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-tnc tnc-tnccs tnc-imc tnc-imv tnccs-20 updown + + multiple_authentication = no + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc =yes + } + tnccs-20 { + mutual = yes + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat new file mode 100644 index 000000000..3bce9f6e5 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up host-host diff --git a/testing/tests/tnc/tnccs-20-mutual-eap/test.conf b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf new file mode 100644 index 000000000..55d6e9fd6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-eap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt new file mode 100644 index 000000000..09ab8e9f1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt @@ -0,0 +1,3 @@ +The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements using the +PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on +X.509 certificates. diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat new file mode 100644 index 000000000..eb996192d --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::PT-TLS authentication complete::YES +sun:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +moon::cat /var/log/auth.log::activating mutual PB-TNC half duplex protocol::YES +sun:: cat /var/log/daemon.log::activating mutual PB-TNC half duplex protocol::YES +moon::cat /var/log/auth.log::PB-TNC access recommendation is.*Access Allowed::YES +sun:: cat /var/log/daemon.log::PB-TNC access recommendation is.*Access Allowed::YES diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..98c415edb --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +/* configuration is read from /etc/pts/options */ diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options new file mode 100644 index 000000000..79ae1e866 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/pts/options @@ -0,0 +1,8 @@ +--connect sun.strongswan.org +--client moon.strongswan.org +--key /etc/ipsec.d/private/moonKey.pem +--cert /etc/ipsec.d/certs/moonCert.pem +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--mutual +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fafdac4aa --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pt-tls-client { + load = x509 openssl pem pkcs1 random nonce revocation curl tnc-tnccs tnc-imc tnc-imv tnccs-20 +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..ba629a24f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 2, imv 2" + +conn pdp + leftcert=sunCert.pem + leftid=sun.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..05ffdb178 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = x509 openssl pem pkcs1 random nonce curl revocation stroke kernel-netlink socket-default tnc-pdp tnc-tnccs tnc-imc tnc-imv tnccs-20 + + plugins { + tnc-pdp { + server = sun.strongswan.org + radius { + enable = no + } + } + tnccs-20 { + mutual = yes + } + } +} + +libimcv { + plugins { + imc-test { + command = allow + } + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config new file mode 100644 index 000000000..476e8807e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC/IMV configuration file for strongSwan endpoint + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat new file mode 100644 index 000000000..e6ccb14fe --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/posttest.dat @@ -0,0 +1 @@ +sun::ipsec stop diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat new file mode 100644 index 000000000..fab55d11a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/pretest.dat @@ -0,0 +1,4 @@ +sun::ipsec start +moon::cat /etc/pts/options +moon::sleep 1 +moon::ipsec pt-tls-client --optionsfrom /etc/pts/options diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf new file mode 100644 index 000000000..55d6e9fd6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat index a86fcff61..f744453e6 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -1,10 +1,10 @@ -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES dave:: cat /var/log/daemon.log::collected ... SWID tags::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES carol::cat /var/log/daemon.log::collected 1 SWID tag::YES |