diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2016-10-20 16:18:38 +0200 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2016-10-20 16:18:38 +0200 |
| commit | 25663e04c3ab01ef8dc9f906608282319cfea2db (patch) | |
| tree | a0ca5e70f66d74dbe552c996a4f3a285cdfc35e4 /testing/tests | |
| parent | bf372706c469764d59e9f29c39e3ecbebd72b8d2 (diff) | |
| download | vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.tar.gz vyos-strongswan-25663e04c3ab01ef8dc9f906608282319cfea2db.zip | |
New upstream version 5.5.1
Diffstat (limited to 'testing/tests')
153 files changed, 1792 insertions, 274 deletions
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 978b276d6..3925d92a4 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index c52a325ad..fafe267a6 100644 --- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -1,7 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no send_vendor_id = yes } diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf index 079ea723e..e7364f6ea 100644 --- a/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-ntru-psk/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf index 079ea723e..e7364f6ea 100644 --- a/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-ntru-psk/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf index 079ea723e..e7364f6ea 100644 --- a/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-ntru-psk/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf index 9e655eaa9..278f98ec3 100644 --- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce chapoly aes sha1 sha2 md5 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf index 964c520d3..7d030517a 100644 --- a/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-chacha20poly1305/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = chapoly aes des sha1 sha2 md5 pem pkcs1 gmp ntru random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown + load = random nonce chapoly aes sha1 sha2 pem pkcs1 gmp mgf1 ntru x509 curl revocation hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf index 3314f7538..d2137d969 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf @@ -2,7 +2,6 @@ config setup strictcrlpolicy=yes - cachecrls=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf index 7014c369e..ea1b90593 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf @@ -2,4 +2,6 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default + + cache_crls = yes } diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf index 3314f7538..d2137d969 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf @@ -2,7 +2,6 @@ config setup strictcrlpolicy=yes - cachecrls=yes conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf index 7014c369e..ea1b90593 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -2,4 +2,6 @@ charon { load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default + + cache_crls = yes } diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt deleted file mode 100644 index 889f8297a..000000000 --- a/testing/tests/ikev2/default-keys/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b> -and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key -and a self-signed X.509 certificate. Because the virtual testing environment -does not offer enough entropy, the non-blocking /dev/urandom device is used in -place of /dev/random for generating the random primes. -<p> -The self-signed certificates are then distributed to the peers via scp -and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat deleted file mode 100644 index 43d85d06f..000000000 --- a/testing/tests/ikev2/default-keys/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::cat /var/log/auth.log::scepclient::YES -moon:: cat /var/log/auth.log::scepclient::YES -carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES -moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES -carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES -moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 5cfec3e9b..000000000 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce -} diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules deleted file mode 100644 index 72a1c17c3..000000000 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,30 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --sport 22 -j ACCEPT --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT --A OUTPUT -p tcp --dport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -COMMIT diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 5cfec3e9b..000000000 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce -} diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat deleted file mode 100644 index 25f737ecc..000000000 --- a/testing/tests/ikev2/default-keys/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat deleted file mode 100644 index 8ae506253..000000000 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ /dev/null @@ -1,20 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -carol::rm /etc/ipsec.secrets -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/cacerts/* -carol::ipsec start -moon::rm /etc/ipsec.secrets -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -moon::expect-connection carol -moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der -moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der -moon::ipsec reload -carol::ipsec reload -moon::expect-connection carol -carol::expect-connection home -carol::ipsec up home diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat index 91451e9e6..61adcd2d0 100644 --- a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat +++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat @@ -1,6 +1,6 @@ -moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_512 successful::YES moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_384 successful::YES sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/net2net-multicast/description.txt b/testing/tests/ikev2/net2net-multicast/description.txt new file mode 100644 index 000000000..82874321b --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +Using the <b>forecast</b> plugin additionally all 224.0.0.251 mDNS multicasts are going +to be tunneled. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, mDNS multicasts sent by <b>alice</b> are +received by <b>bob</b> and vice versa whereas unfortunately multicasts originating +from the gateways <b>moon</b> and <b>sun</b> themselves are not tunneled. diff --git a/testing/tests/ikev2/net2net-multicast/evaltest.dat b/testing/tests/ikev2/net2net-multicast/evaltest.dat new file mode 100644 index 000000000..7649abc5b --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/evaltest.dat @@ -0,0 +1,16 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES +alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES +alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO +bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES +bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES +bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..47cd53afe --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16,224.0.0.251/32 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16,224.0.0.251/32 + mark=%unique + auto=add diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..db2698dbf --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default forecast + + multiple_authentication = no + plugins { + forecast { + groups = 224.0.0.251 + interface = eth1 + } + } +} diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..65a8ced3d --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16,224.0.0.251/32 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16,224.0.0.251/32 + mark=%unique + auto=add diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..db2698dbf --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default forecast + + multiple_authentication = no + plugins { + forecast { + groups = 224.0.0.251 + interface = eth1 + } + } +} diff --git a/testing/tests/ikev2/net2net-multicast/posttest.dat b/testing/tests/ikev2/net2net-multicast/posttest.dat new file mode 100644 index 000000000..dff181797 --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/ikev2/net2net-multicast/pretest.dat b/testing/tests/ikev2/net2net-multicast/pretest.dat new file mode 100644 index 000000000..e777dba06 --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/pretest.dat @@ -0,0 +1,7 @@ +moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships +sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships +sun::ipsec start +moon::ipsec start +sun::expect-connection net-net +moon::expect-connection net-net +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-multicast/test.conf b/testing/tests/ikev2/net2net-multicast/test.conf new file mode 100644 index 000000000..48597379a --- /dev/null +++ b/testing/tests/ikev2/net2net-multicast/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice sun bob" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf index 577d74e67..867949da4 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf index 9f1d9c41b..e39c9222e 100644 --- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf index 978b276d6..3925d92a4 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf index c52a325ad..a4cfc6168 100644 --- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl ntru revocation hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 646bcee1a..6a6d39899 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 646bcee1a..6a6d39899 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 646bcee1a..6a6d39899 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = test-vectors aes des sha1 sha2 sha3 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown integrity_test = yes crypto_test { diff --git a/testing/tests/ikev2/rw-newhope-bliss/description.txt b/testing/tests/ikev2/rw-newhope-bliss/description.txt new file mode 100644 index 000000000..eb7678496 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/description.txt @@ -0,0 +1,15 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm +with a cryptographical strength of 128 bits. Authentication is based on the BLISS +algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for +<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively. +<p> +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload +by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual +IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously +increasing order. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping +the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two +pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat new file mode 100644 index 000000000..a2df0a3c0 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with BLISS_WITH_SHA2_512 successful::YES +dave:: ipsec statusall 2> /dev/null::home.*IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with BLISS_WITH_SHA2_256 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with BLISS_WITH_SHA2_384 successful::YES +moon:: ipsec statusall 2> /dev/null::rw\[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES +moon:: ipsec statusall 2> /dev/null::rw\[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/NEWHOPE_128::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf index 15aba18e5..6f561ab50 100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m @@ -8,14 +9,18 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 + ike=aes256-sha256-newhope128! + esp=aes256-sha256! + authby=pubkey + fragmentation=yes conn home left=PH_IP_CAROL - leftcert=selfCert.der - leftsendcert=never + leftsourceip=%config + leftcert=carolCert.der + leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 - rightcert=peerCert.der - rightsendcert=never + rightid=moon.strongswan.org auto=add diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..fdfd39f13 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der Binary files differnew file mode 100644 index 000000000..8a520c0b4 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/certs/carolCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der Binary files differnew file mode 100644 index 000000000..b2831a8ed --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.d/private/carolKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..c2225646d --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS carolKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1d9f6e235 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..caf99ddf0 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-newhope128! + esp=aes256-sha256! + authby=pubkey + fragmentation=yes + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.der + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..fdfd39f13 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der Binary files differnew file mode 100644 index 000000000..75a114339 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/certs/daveCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der Binary files differnew file mode 100644 index 000000000..0ec528ddf --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.d/private/daveKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..fe2643204 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS daveKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1d9f6e235 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf index 278943d28..0ec0ac826 100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + strictcrlpolicy=yes conn %default ikelifetime=60m @@ -8,14 +9,18 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 + ike=aes256-sha256-newhope128! + esp=aes256-sha256! + authby=pubkey + fragmentation=yes -conn carol +conn rw left=PH_IP_MOON - leftcert=selfCert.der - leftsendcert=never leftsubnet=10.1.0.0/16 + leftcert=moonCert.der + leftauth=bliss-sha512 + leftid=moon.strongswan.org leftfirewall=yes right=%any - rightcert=peerCert.der - rightsendcert=never + rightsourceip=10.3.0.0/28 auto=add diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..fdfd39f13 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der Binary files differnew file mode 100644 index 000000000..d0ea364b0 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/certs/moonCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der Binary files differnew file mode 100644 index 000000000..c989f91e5 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.d/private/moonKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b4a9ee68d --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: BLISS moonKey.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1d9f6e235 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 sha3 chapoly newhope mgf1 bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + send_vendor_id = yes + fragment_size = 1500 +} diff --git a/testing/tests/ikev2/rw-newhope-bliss/posttest.dat b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat new file mode 100644 index 000000000..9ba8c5f55 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/posttest.dat @@ -0,0 +1,9 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der +carol::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der +dave::rm /etc/ipsec.d/cacerts/strongswan_blissCert.der diff --git a/testing/tests/ikev2/rw-newhope-bliss/pretest.dat b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat new file mode 100644 index 000000000..058b3c33d --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem +dave::rm /etc/ipsec.d/cacerts/strongswanCert.pem +moon::ipsec start +carol::ipsec start +dave::ipsec start +moon::expect-connection rw +carol::expect-connection home +carol::ipsec up home +dave::expect-connection home +dave::ipsec up home diff --git a/testing/tests/ikev2/rw-newhope-bliss/test.conf b/testing/tests/ikev2/rw-newhope-bliss/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/rw-newhope-bliss/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index c47ca8027..028dd8e23 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index c47ca8027..028dd8e23 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index c47ca8027..028dd8e23 100644 --- a/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 sha3 random nonce ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 sha3 mgf1 ntru bliss x509 revocation pem pkcs1 curl hmac stroke kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 } diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf index 079ea723e..e7364f6ea 100644 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf index 079ea723e..e7364f6ea 100644 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf index 079ea723e..e7364f6ea 100644 --- a/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-ntru-psk/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes sha1 sha2 random nonce ntru hmac stroke kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 mgf1 ntru hmac stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat index 5e264c5ab..20849de1a 100644 --- a/testing/tests/ikev2/rw-sig-auth/evaltest.dat +++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat @@ -1,12 +1,12 @@ carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA384 successful::YES +moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_384 successful::YES moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA512 successful::YES +moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_512 successful::YES moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem index 929f737c8..d786db30b 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ +MIIEITCCAwmgAwIBAgIBNjANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE +b290IENBMB4XDTE2MTAxODE1NDEwNFoXDTE5MDkwNTE1NDEwNFowWTELMAkGA1UE BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv -7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0 -DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS -hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9 -xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO -ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw -CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD -BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw +AQEFAAOCAQ8AMIIBCgKCAQEA0021rEucwTZnd5pGxpWrXvn6Vkhd8ibwiyQ7ynpk +1Wi+WB0eWqW6ciU3BbA6L8DXUZoo0BzhIlH68X1n+CWiSBS8lBC21QJTAYywdQar +TVzUusbhX5S7c6JQrk9Oj+Tt+X5D0Q91SMfcB/i+G9IpZZz9DiceCIxpBd0HxoPJ +PRANjThQnqot4TYYUm45N05PixAD+K3P8Yik7BTRHPV4JhflPeOd0pTZL2b4sg7O +vZctotdF/riDvDeixMS/OlYxrKqVeP1wafsTE4MwADooRgaWa9zkRTxO4JwNE9M3 +LQ2s8AUq73kHxwJqhvom18lgMD056iZYqN7RKSaE+Zn40QIDAQABo4IBBjCCAQIw +CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFONu1FifPZHQiluTzIlQ +02i3SSqWMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS -c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3 +c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaCFGNhcm9sQHN0cm9uZ3N3 YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw -/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk -4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU -BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf -5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc -hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N -6oXDLZM= +cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAALEERUj19IbP7NL +fyNy+CRVZ9fT20jDjLhQ3yZpmYep2TEAAGIP2I550tc/eIXj4LCJJ3i5a/AdSQjW +09beMwXatszqrE+taY7tELSKGy5Pbnb32HIDPwKXs92Ivxt9FgwUaLrj3AtVUmxk +0bhGMSjkgtrxbeki9394+ISW0EdD9DZSheJSLKa6rykb7akQPU8J2hreVAFdNZnF +RDVpT/OI8ZoH0K12YvthC33fysmKyGNCjDRP/x4UsdrnRpHP7BMjVe1TJQBiu6cm +DWPvj6ZkKqRZ2P67GVZLSu7s3hHKu0O5p3oY0J3YLh6ZrCw53dfG0860vfAV78f3 +DhxaCpo= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem index 497d957e3..cb9c85a81 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.d/private/carolKey-aes192.pem @@ -1,30 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-192-CBC,0BFCA887A0607C7629452B14E865F782 +DEK-Info: AES-192-CBC,3B3CC0EC06DA44CAF42AF63116EA300A -NG0IHVWcpgMabsPpHUOQeWi5pbAaXeQMkBMAJt2v5UIkB8oKojx4tFt98IKxlkPX -oUNYiw5Ku5Iz61EgO2Lk7NKYB1RPVYSvqnNOtqOdnbU6mb+rZD8dP42wLmVU91SP -VkBGCutAV3jP+lP5WYxTqUJI+MHaWaQxxDABgVYwpOgRdri1hqvcqVU0+BIEgnq0 -PzjOGF34zOyProCo3T8R4Y3QkuFy9KJAKfBRVQVyx2Mmu/3cGB6k+7YiU614WBxM -MlG7gMWx054QrYte5G9RvLCv98katprqbxSFF9Co1aOkLMxdY8vdyEn0I+oUfZuB -bZ8e5cdWEzdkz34rquh7cty+WyMfwboYgndXtnke33k2nltoP4Nhvgehyo3hQcio -4elGTyYTlzzSR+bcAtF2otcPL3idTlcCJQ/8gcydotY3oBI44lUhPbIYONKQYYUX -wYrKdZDHa2zxKRyWLEgbEqfN3S20iITREUu5pTAB4nzNtNf7Af6R81bS5/WsfdDk -VfJJC+ICX2GWxNefUPR+/wMtHLv2lIDzuBFFborF7v5YYHbQpXpjWbpFVaw7/0Gf -d5XuHG3OBMmZL0q0rLbSrOfWISJ2QnPmC9bqp6OgncTMDuMXkmyXTDu1F+oT8gZ2 -IBRL94gPvG5hJYaAIZXxxElbxhzmNb4E1nnYikYJXJDvjOk2+yPVZkVOCBGqP5Mn -p2ieW5ZBBlUtnVcRAalJKxU9l/vPjtQjE1/aeH2Z/B01Rjn65kiVXwyLQxnxBtDA -ed7Rpdc+wcnlleMLkIg8FntXpb7CIxqNx3eC8yaq7kHDCaWHL+6/4bexb/Q7Nzxi -H70ITSHu7L4p1KpLJIyaYHRYG0AKjr+vezK5SjREjZMpH+w805QLz5d0QpJSDTWI -XOkPW/vKvnacvUlPIlQrAS5fxMCQJgQmTGvbKnC+qE1Tbkc4Bz19cZn6Fseq1tPa -i8w2AKno1t+pRfXXrh7p8A0YxEBA0atf1O7gnyg6aMcMHfm3kSxq6xuPhNI4gG9z -v3yLNBd/08GGEtHNa6jG3cvankHpG6VUjFd5jwaHpvLZCh8U4sA7r4soXXag49LC -Y5UkHcjFkcbacBKX39x/AnGUCmP/bq+PLJQ7z35XQ360rqFTlGPISGzLaDiBKFxc -53xtkkgTqcrZq5Tv9xOIT+EhH7Z7ndAtA4hIs4rSc0d6zde206w3hzqzUwooPppj -qEd+FSb/lPnKQ5Q9z8pod28+CxCaxqxFBqfDT6ORlegdlvIWDvw4HS6BVWK9ZVy+ -xODJ4t1hTuTNEZUiyG6DMkhuQ41L39mnHxcSjWicS6BLYql+BAxM+Yp62VC5q3p6 -qIG17JjTSOm4FuyO2R9l2/jXjj4l4adPDtCmpJfI6PXjXdptWBITl1YrgHgeEme5 -H+Ag9HQgqbuP8REc4TwwCoMOV38KLsvlxK2oa1o2dJPF3Tck1rQNVM5mY8TnxSN2 -ozygG/ECyMoCyBDJYELfh1SN4OmX8kbsl4t6YxqydmRy9AqaLOwwSCKIWLH0graF -HwDujb3VkM9nhplw8aNeLZef4M1EpCwVVW+i6h9ADfWClePjJlJ9XTtgZku1TPEA ++1iflM4ExvjvCHQdk8C4nTd3DdND8KXrEHgcfUBlMasBSRca7++2i//FKNbs7wTe +M5X9JsHiL8ySsioCsRC778726Un48IRIrioBj4B3EsZ+vQL/E1JoIUA+Qm5WkjNT +Rd9o5z+C4GreHRWYP8Io4j+kDXPDTz1Ga7EcNFqoQybjwca6Yn8elZQ+ZfntZxTI +jVY37X1p9WmFv5ySkw5NyHzLgRGaPiTPg+MB39gOWzvZoZ6qQbY0lAyi+zJ1Xu+q +m4XeqNxYs0hLjEujTZ5+7StMThoTJUGiA5DbjQb07c1n3G9HytgyTnihEYWVCPq8 +Rb4f2/grVWj4DHGOXC7D5LNvvvrDHZZRIn3DjT73vveAUJcVawXCpx9TBZIvgsP8 +AbLr7PUUUmnngSkCRpmWphJjEEU28ocW9nP9qs7kLCk4FlW9vDXru37KsjiiN+96 +Puzczv6M9SLdvCKVfAYoKRNrmmfHO/HzvDBQfGhixs5B6HqW2RZ4TV1kUuqREhw+ +5ZbjROPbcXw6M0S2WWed81YxyFmM3OKxtFw5m4PUzQgG0uPAO2ttJMWjY8MWGxin +QYBOldvlXNkJOJOMJb1xYJ2OR5idDBvuhac5vJPMVJ53EMsJUviBf95HMZgCT4e9 +bcWbd1t5zV/xEyJRX+OlMjN9ket1/4m6faXTbcuEkhGGFiHTCv/wyPjBEtHQ6Lav +EU8zdtRHU4BA15qOwWvWYDyIya7LQfpcp3CuTwwQoOr47RIya5wz1WJvfrciuJUT +ZUflT88FSkfi401GRwFANArG0pdujuer9eHCzR39kQ1v+9goI7LF+mMElZb2Wugt +ccrX6RxvtBzAQBMaakMWQI048vibWjVGEmXxEVx4rgB/ze7WStVX+36/UE7JVw8P +zp0ygt63t1DgqTwwRGvkq/nvbOw6rgSuX7RWuOFSn2flsgEejJt1dmrg+/Iyb7Dm +/pw4d2+66DqfXDMBrj8+mwTPZolJy71aXv3xOY3rOB6Dj0K6X7WZVEiJMFbBdsJe +xS8OrRausahEno5KSqA7O/EXm4eGWl62OvMtixUV3Gg7Mz+nTsHbU6pzdMpa4QM/ +eLCPfUpyIFCk7heSh/k3fc9qG9L9kAn6qx+FoiZ09R153oRhIqGb5/P+4iXBFLR+ +OlsrSPJvXo/JpJHQh52SQe6mCnwAYIMS7KxF3sDFAFQKPzzXQaaqXUQkOLeO4Rvm +GKeRDpnfZ4RcdVu6gWz0stxnK0W32T0ZZj8RXlVJOJJdcfZ/gfmt4wODkqVCewF6 +/6JFneSz34qUHreHrX0fmQnpOTo1V3t2/iuliFH05q5ZuSRkFekt8qBlHm5bomYR +Xn9DwOUjFvIUoRj9qDO4L4H2wT4FuJjWL6WRzYtk/Z2aZzLcpGN03r8X7EOTbqiC +tAgb0+7HPOSiTQ32DG2mJVjqcCCd1zWGY+IYSbZfFxWsKUqhGa9gAQQpaowoR7nc +7Mqf/Fygjlu3YKPLHu5x179sl+cM+oYqN5ekv/O4Vc0f37jlq9/QN/MNpe724DMy +BOdwY6u3T1srykxtu2w7F6E1Yjf+y0iW6mdHvfzNWoOUFNlQwmqHq1Vw1XOfk8YU -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem index fc769c1c9..9c62f2132 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ +MIIEHzCCAwegAwIBAgIBNzANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE +b290IENBMB4XDTE2MTAxODE1NDIyNFoXDTE5MDkwNTE1NDIyNFowWDELMAkGA1UE BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01 MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf -5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb -h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr -Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt -aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP -iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ -BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb -7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +AQUAA4IBDwAwggEKAoIBAQDOTJOm4HBLbc0fCUHKOSYSAJj+dbWmXo+M+ViblRwU +iTij2wBchH2T3SUuj/OimtxloyVWyfATS7eTjCbqPbduVc2aE1QqwpBzTGnh8hd2 +1IQ2Hg/ruAS1t6XlGbQXbzOmA53tePh7iLMeW1UzIlq/i1isducIKSOusc5/225j +2C3OHbfpIlBzW9NgtDZZqAc6BsI2z6XsaA/U0S+4YYv8mImsSm71aoeesGLV2Fqm +7xQLxzH7eQQS1gg8+iWfPTU6pHL6AYR7HKKCdMiqDUOrP6VEleueinnzh8MbWwa3 +z3iIJ8pGD1jBLJ+Tlt+qKu5ZE0fGX2WCVntkf0IWc7HRAgMBAAGjggEFMIIBATAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU4jVZk42tDoUyFnMs869u +69kHafUwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz -dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITZGF2ZUBzdHJvbmdzd2Fu Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF -OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo -KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM -GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7 -LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U -KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT -iKMh +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQBvE869kmBTDlTm3LnK +Sj6tGRhE0rN/Ki3zHBTlVzGZvaggt9ZvPFcLypLZkC0BfPu5/z58ig/Z8dC/bITR +g6kr02wgpLlwOTrU2dNQ/ehKOKClG0gkNNlw4cdi5ayRFXVvYhWzZNPGvIY8O8EH +LY2oZ0LXBvttx+rSuFAYiOEXON5/oiiNpGxqGu2mYIeyAAIIcKa4PqvGu7DxEGtN +OKwJ+ez5bg4qpUVGgBYce1SbzShS+eAe87xLRL1QKxcBD0DVFb9c6hrPRIpdxHD3 +AEFEo87lj5npbvP9PExufP9mTl4Ko7mENhEYVo4/2eGsMmyD+FXUWUXr7bWY5Zrg +jSFJ -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem index 3223c1dfc..8fcd41063 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.d/private/daveKey-aes256.pem @@ -1,30 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-256-CBC,8AF4F2ED0B6D096AD675CFDC4F41083B +DEK-Info: AES-256-CBC,5AB0B0B04BC2FBE873B5D35BF5A6082A -2ezZg1fOw6Wcvk2ei1VLqpA1Z5lxroSsibmDu5+UuyJyTtdbPPY0iWxnryVoaXBq -9VK4AD7lkoJOX/CymbzSSOkBL4t9fN6akefTN6rEY6g8zN2q4al3xxIvZv0WgCDg -XxqJ8ZsdZmUoe12RbJ6HvMw9UR2m2XZYvwcD9+hzT8Agsy5JBV5Nkgxc52ZVYoIh -O5E+PI3w1yrXrzIPx9H8nj3VKRGguZCVFtae7ChSSxotoaIQxM6weVkEDUQXtSs9 -CmtXrn/o6uiafzfHx2pPELdsARlnuyvbKATrOr5lwnM4kwUl+bBvoRI7YaUsg/A5 -48gy82PQRZoWH3ofQv1d24sGc6ZctrzRRrCLzDAGDd3fw8bJkV2b/9D1u9O5Df7+ -Vs0fdrRoP8ooa9d131zBy1brDUckTsTIQZ3Sn4FdBI610MX7l5gJ+7vXYqp/rMOt -Rq8LZoKggzeklwYjum77YFdtbv4m4ihI4DUYHY0xWgMDUMQTFLEUgvAeNrPNRRwI -Ep1JmV9I7it6DHrCD9QmVWUoxSgRqodQDV4p3npH8WlrJMlL0ReiOJZ45PWOsmvI -AAjdsKLwqQEfXkckCvtCM7Nuu8pNA7UUm9TqNLFOFR3HWtm0si1IE8iXu3v/o/tx -OzzRl5pxc1tg8TFiFrNT2+6+HcAJOnWboYJRJzkcW2UzVpSZ04BLiXHPfGue1gG7 -uPZ+pp3k4iQrRRC45I1I0MwE2gOpppt/MUmNVPGqvL/Uu4RGzOjPk6Re4mm3GvIs -JOD1Pqsg01OUqKTNqsTPEld8vLwFPlOgXwmPLr5cpC/hGo0YUx3ysJ8Hw3FN20V6 -+nm9xWpPytNqfaY7jaxhMYZPgz81WOuGrlCv48VkoJiWlrTxbaq2t4IzR2SdyXKd -HNu6ryFn0WVw6hVm2aE8Al9mLxmaiMhg6HaonPoQSVoHRCCM8/GoJQRx9I6lonTC -ZY04BuAUT+nmMlEa0vlLI+tbS7gNkSNG/UyUFGRN++vzQE6s2LPfe9FRsdOfnhaO -W2VqbFbiKkPK+pKXjh7ln+NMrXIGxYVtuKWFEUEp9drh5MQCUFNLTn2Jblb6u0kQ -WdBP9Ku+ea9VprmUVnTYhaRZbuMwQFlfx9eImZ1UQPs8MWSUWI0t4RB+9kdN66n2 -+H3aJTpGv4BGNdSohSCbKKe/VttflnkMQHZmSY1iTDQJhZqbMSAuNv/H3DV1ZBWv -pR1MYwG/kXbaKaFRTctPE8tLxTvO8GG9JmOPuMgldYD2wq4zAu4Fr+Ve0jjznQGN -nGDtG7NoUJxJBbcFFPY4pRH3wtLWXlc1WUnPAxen17ZjbYHrvA3WJqTNCdtQ9tan -StaDqbhDTwSS9HDAvdH7tXLk+lQ+xlaeKFDRd/6K3Tngtjwly+kJjTH1bWR9BXyc -rHeDSpexPdMgVccuDTGDloebjZ/lZVKqkyL0f4/gDOtw7/0kjTZZXkkoVeVKqQyW -aHREhiszCHhJzW2c+Uw7mPrd4tfolPsI6mneNtt/6CCf0kl5Nkx1rg7Anzo0YSvK -vHj7ciRZLri/B4fOFhfZvk4Qgjoq2t7cBKnuAcZuN7pNM8DRruDekrHKY2+uHJnU +M9GcjSK3WP68ZJ2KcFTfqU+vcqft81ypCMkRFJzT7RIgx8Z8dKUYUZtJLX7IkoSL +gFbux1Jm7eeQl+Lj73Vkz3JjQDHPz7jeh0MjbPz93IOqwo14NnEiVQylt/cuPgHO +/VkRr/rd24nObyEVMZR2rfQW+fHDn64EoJ44RCkK8M8s0edLzl942SnyZbOTKpNt +2V3G6v40e0TgmgCBQrJIAW69GFQNOndRMCQwtPojkX5QO8yeqz1m8QXhNAoGR8Ei +iJjy3u24dzmkMBSeL+1tlbQoMsR8dcNxroDBxWQerFbhfWq8yLHey5FyTR8mumqv +PFuEA+MJNOwj+WozaeMZcWdCB8UDadtYfNbWRRGOWQaEC/hjySmiegxr/XfGJRhO +QYUze4F2BbA7sY5E0YWMm6ENfbKXkl82sW6K+tFZrEQQXh0zaeeuOJvTxWrCKxMn +4lnIdczwhnegn/O8xRZ4GNHZi2nJrojkIBj2J6quzE0KcmK1cwmv1Gt+QJqa42pD +LL7HXl446oAcC+/8h+euwHubZwAv8fZn09j9lA3YFd/Klw9hRg+M4iesNLc8W80h +FW/W8InQwa/BfA4o0IeMMkewVi4EbSIhPcQkz+rUHgS8bjhvX0/E3jFdzZnatzTF +04pHtxSHRnIp/L/70oGs5yk//Rn+KjYeZxAIHJgf4J7gfYhjQMi9DzD2Dpan7Dlw +N3VtNeHb3wyDhYK9vsNiLdFBHU2oNXrZDtYYUDJWYVuzEk6X9twROnHBPPlea0xJ +2nfpTChtBkv8pSIadvsvkORTz7fKjvco8f6zndMyzKQ8xyAVSifPZQDWGmRREt7m +HTb/XlB9pz/KNQCgNrgz0fN4OLkQKyqYhMMsPCbUja/NnTOvdhMF5aDEmB0whokM +XhRPKFLHMjaqbHzBFXYLmCODkdCrG2wkbLHTtMmOc2zNBFNO7ApeaPqggXcC8Y09 +VpUsda5q6GMUpDVveY+ZHiSSGBYBNPHARX+aryNzY5KEaItjPD9aO9AcZoT55NCC +iSD62CKlOqm2MSy7VbXedyrwlUtFHxg40XAsMO0chPc2OxB0QDeCmaAi+T4RQgZn +O5W5b5DJNO4NbTjJ3ivmcl3QFKgJFZN3S6mUbKmlS/BGRMDSykRUtooI4ULSELMC +r1Z7uTMl3nL4Wf7sjS66iUd4zGjF3BEzFsEtbk278A9jdO6wpFZNdb9hYrISzI0z +1nezvZBFL7hKjHnTRaylr83d4o6qoPG07JmgzIY+UVFr738CTsoh/rq6AM8hWUek +tjst81PFqLKqsV121022epxfQSe8sz5KqzehTBWYo1ZbzlD9B8LkzXXIkVpOBPDY +nFpQYiwu/V12MGVTmAb2CE+F/j37KAbsdF5pi23eAYvp/miz9SqkcsD/Ucyg8AvN +/yfv8EX7sf7tPsknckExorQqVPOZs1XITUx1Zsmv+hOKRMdtyrVi7mn8wWPbP36G +uTL6glQVlGJXf706IcvG3tgKgXnG7DHK+txbhNFIivNd69C4ykoVYhSXpmHj2HBq +fkuAPRwAdSd6xeWDlZ49u9l/Q2Je7JO9r1yZTrC7KDIFbEZkpbWPObYjyyYYB2sq -----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem index bda4f528e..20fd0249b 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem @@ -1,25 +1,25 @@ -----BEGIN CERTIFICATE----- -MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ +MIIEHzCCAwegAwIBAgIBNTANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE +b290IENBMB4XDTE2MTAxODE1MzcxM1oXDTE5MDkwNTE1MzcxM1owWDELMAkGA1UE BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI -7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj -hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw -P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3 -N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l -KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ -BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc -WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +AQUAA4IBDwAwggEKAoIBAQDpZ9FM1s4VqqweOS24P5dVW4uTVrN4HgK2c70P+umh +u5+pr8cyPn/Kdor7SU9B/GdV6onZumgSUaeNqCSmGzLA77x/nR1xRWtiszWStJUQ +ICszEb8/WkPq68jlsmgIsfpTmABOBPYTvAqh7bZCTSoySG2fKt+E4UAd5S+BH1CH +YruIvrvuNxVMA/z8J+tMFZGqjQ6DopatYgSpccbSX5kuAgXCA9g9cemoPoKjjjLD +w0JBKCErtNKimY9pvf+SaRqoCc0YTIw6ydyna0e+tuPQImFjopZTyelnGHIZ/l62 +lnmrfB+sw2Younp7L9Fh9ki4wBOcXS/g4fQgyjKvLAG/AgMBAAGjggEFMIIBATAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUwdMoB5LJvckJ8GY1vi2f +AiL8s5YwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu -Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw -Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB -DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs -pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5 -NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL -Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC -JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6 -NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+ +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDgUAA4IBAQCzWf9dGTbHy8B91uSR +BAR0K/Wi/j2AqqhDxIH7/PHh78ww9Zb1bBeCt5iFnpqGdTe17vmbga8QGK3W7NHm +hFYUJhXGyxT3uclUzsePLXKqDnoG9tbZMLoJLzle3j4uJ4PjWN0Wsu+76/QZudOt +zoJUZRyMvDfBByLOLqbdR7KOm0hNPsjCkzEfj2ql+IDQdNhulatpThqTRxZcYDP8 +bxpDIOaJQPGwpQFKIkZ34kZBPjUVY6Ad/mvoTna/ydWrPCGjfqcn/n14vxFS0nyh +FRtEpelFVKTX/JDXs/IZ0Bsn+lWar4lgUEs2PlmS5sMS8EZVOgiazT+rdVNWHrQh +cS9u -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem index 90631fb98..7b8a3631b 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.d/private/moonKey-aes128.pem @@ -1,30 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: AES-128-CBC,3EEEC63B86A4F0864B610F29D446AB99 +DEK-Info: AES-128-CBC,BA475B267FC48360A09763ED2A15E817 -aUw9rzSBLmvzVlWlCePyRXs2LL10A2QGVjB9jiarsjVLd5k1uVPrLVb6lcTVuGR6 -9pC9sA7+F9Ub1V6oe/n5f1UiHiLeaqdYShfVan7N1z0Kvoaqg1qaVNmbGuZH81Mv -VH/kvfKbig6Gxyn2wxhxoQ84r5uVyzzrfQlrqcwQze43NuRaxh6Eov/vpel8yB4/ -HNSEyItiDenT6tDO4Exw4H91GYWPbutaTmcsbaDSQS54LMcZZA/NVu0Y/uiJ6lxJ -5qQ8xejBC07nc/g+GJgFRxetd56FdiTXR4ADVUiSgOrUaUu2t9NIMig9VBNYWsmv -wlKI1NB/Jt111AhbF+wdw9M0Yqe3O4V0N+jTxTzff+0gky61T5CxbhCMosD/Ohzy -IhRjeuL2gFvCENd2kn0U/1POe9anPJEo7mYfA8oYpxb/jl8KxIxssxLKGDE5qF8n -+J8jGDFbLkiwm/pDeFSWc1LZqKfZsSsBMhffC4NR/hhCi3eY3HnMpnyngzpWpwwY -eZnElVXFYro3qEuJbLRUkD/7rrLgU+LMoetdB5I8oaEvKucRo7dulLNXUFCt6tbK -AXLWn+pTCuLpjtAXxWjF6Hyr7ssLEcLjixDwdb66Ypqm3YncjFemsRFncVQe0R0b -3LY0FH4+GFFXAOywrMP1rQ+2mhl+BH079bu+BhP3bjusJwqBhlz8j4cnbv/STWGl -B9XnMXYx1NVOMFF23zMm9ftkPa6PvkZ3TcGJX2S849pxPTPrA0oFLfIPqyYLqZ42 -+a2jmMdr7lPtcT4ENshpWZ1L8O25Bl10yll+Upx4T7yDrSD/9P+yv/MyIlGiV1x4 -N1oaaVdTLU+ZZbpjVUmD/eSprGye8FzblEhSkY990m5kupWxiPmHzLCKHRYBOnBS -rNdyiz7pTXAQQLZBP4/RLDlYuIyXmbmn61PSdF7u6K/daUf+voKHHGi5m5NUhnS7 -zkUx+ZrHUoWhybOeMoQT0lsx0BsD+NiuqUbthkTFXyLD2dhvWcyAtsOW2yLMATa3 -09HPwdjI2ntJx4Msz1jqBY8XicXd+NHS5yx1jvg0POnygX4sU9xF0J3hfk/Phwfd -Cc7I+jWi+1yPwKi85PHEs0F6SW2kxOx9rmdwXi4EC7Lii3d8LtCR4jEKswzLNwRn -uceH3+vUv6UZC7EA9cdcmh6RWe3HvTrHNyPoYHng35jT5aZ1lhYx4bg67TJg7I6y -j2OyP48YhbKvpF2S8uUGdhCZSYJHLqh3yDI1DrzABMZ/9s0xpSfQtzhQYVz5svHk -Hv93VcbqrYf2Cx0OlxuZG4EEObyYdSqFnqMQBEf/L53oDe9jJKVaXt9IA2XHtyBD -SAjQeDUUKlzfD+CctjX407qpF2Z22xblGVKzYL1V1oXdN4E8GXq6VWQ8SSwQF/2H -wQYubDOJ6xxP1PdW+ws2eXhe5g49cSW4PgIpvmxyUEEnKro16RQL4M3Hv5VJYic3 -CRxugrdJWLSrHGnoz/0W5QUTzMX4L2RNf+xeE3eKU74qj2lWEWZgtZLW1waiTqXE -MBvvFYWh/qMOprpTlXWG5vTag1XLj55uutz1KAVXQRg6AbMKpLXi7wTlZ2nUpUbj +jRBH0cHh7XWdhRMqOIoOrQUcQV/petFZ4n8xOlZyKhzN8tLCSDEujKpJ/Bw+mE+X +kXR2rIV3KAywXe3zWkA7s5jiJBKZ5BeTCYyk5veMf9GlRdKbh/BmaHelDRb/yvsv +GVlS9jT92vde96aMhbJM5AI4cjlu4GxFz5pCtkdg2hLLntSDQIl4fa++Cu2ToN1O +6wFbvYrKRB8eLUMXEfU/qfXnjL66QAnPA1vW0ys0DWBQKULjJXYzZJPBS/K/3tzS +HkB+ZhlLmg+aeggxxm3axPa8xF4VkmIfICsOgNcs7nUyGcC+9bY3DWpYtlvYo8ss +xOEAMGygf+DH4KcGfET+21Lzi8vX9Zz8dG2qhulojZ+IwHZAJ2sLcxGo2bJCimAD +0sOA4d+ikplEIUJlzNK765y5CYq93s0vgT7E9RiP1rbV2hn46uPZmTxEH904Hobs +h4aUg7jdiMVHX3/oFYnk0uKjVc4s/QukuvQ2Bd6DTi3UiSv59bZOfKyElQyFwSHP +C/eIn2lZJrYZBhIZT7BaoQ0ohnXiF7LNeyYj7OW7HeMbKmoIyYBvXFN7F0yk+A4d +LDa82N+OJax6t+mDMtfx0bH86mOsvHG5O4Vu3AcJIMTsQgyq+7RVJCt3MJXNshbk +TnkrMrWPFZgPuvZPi1l0+CcUXUqVCQlRkyBccDobG2NFWZEW3isirZX4/cPaKXgD +UwtGZ0/26vxCJHnf6eD2/2xwckKbsL85lFd0M1U0EijL+/4ScJIf/LS8G9wvma5L +cB80m32axufatrhmkQmMXijpgLmyr0IAvdhQgmD3AA99H7BbFueUh6oggjHw2kVK +0QFgW/s+eP9M1/jOlkndALEWzxuuisZ24UFUHLmIGkLwRh955rgtfb4ILlvNhAfG +2YTn9q9eTURwKJDWFk8SDfQiIqDpqC6iSF5A5PAlC9MOO9Xf+kGsj2+wZ5MeERO5 +DTpQOMbM8mKbswmbDwLbT4D1sOCJEPzpYgpN0s+UQvbcM8DVe06z8x/4g1sDVM0C +JRqB4Oz4Nbn/BuqKeNYwwP59y5VNez0Plneny3SRQE0mA711n8uiF8X403U33+6Y +In3B53FPVWjCS6u06YRe99ZXsZ/PsoV0pL9wTqt1Q4m4Kqm5eRQe/Mj4+jmyKbqz +4S4H2YulRHxC/75vqQr3Ffsdk80pwX4Guwpsd3RwuxJ0rPYh3qm1fMIJ1TW7pOX2 +n1RuPu1/N23u6FfVn8oiXny2FbultJLb9X10EQMIIPyqO0Uch7W8pAa1yH7egLUz +wJaxcfmBfVGHnrftSZd49WNaD7WcivZbkZgGWPFT6I8b4wGN3Qh6UornqiPptLSJ +vDYGjPjxA0/sXx/8uLG9On4wrg4RpqUVr7drkJ7PkSGf3q3rVCdaV5HYRdb/Mepz +k+coJ4HOzR+BSN/tm7XgYZfCLPYBHuDmTsHY5a3GjJcKwY+S75sygYR0uG+5W6ai +bdwz3pr/aPB8GEKO+ARLYlowesn57FJRtNg+q5he+iamYC/EK7Oh4bs9H/rQGDsL +9VCrbN3UtqXp8CUUEEtNxBCrIVHr4Fv+/GHHk5vrCWEhVjg16Ww/Pz1UDIILXyef -----END RSA PRIVATE KEY----- diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf index 8d328f00b..8acfbbffa 100644 --- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf +++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-libipsec kernel-netlink socket-default updown + load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown initiator_only = yes diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf index 8d328f00b..8acfbbffa 100644 --- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf +++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-libipsec kernel-netlink socket-default updown + load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown initiator_only = yes diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf index 0f4c68fdb..5f39be37e 100644 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf +++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = pem pkcs1 pkcs8 random nonce x509 revocation openssl soup stroke kernel-libipsec kernel-netlink socket-default updown + load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown plugins { openssl { diff --git a/testing/tests/swanctl/crl-to-cache/description.txt b/testing/tests/swanctl/crl-to-cache/description.txt new file mode 100644 index 000000000..0e6f1cbd6 --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/description.txt @@ -0,0 +1,8 @@ +By setting <b>cache_crls = yes</b> in <b>/etc/strongswan.conf</b>, a copy of +both the <b>base CRL</b> and the latest <b>delta CRL</b> fetched via http from +the web server <b>winnetou</b> is saved locally in the directory +<b>/etc/swanctl/x509crl</b> on both the roadwarrior <b>carol</b> and the +gateway <b>moon</b> when the IPsec connection is set up. +The <b>subjectKeyIdentifier</b> of the issuing CA plus the suffixes +<b>.crl</b> and <b>_delta.crl</b> are used as unique filename for the +cached <b>base CRL</b> and <b>delta CRL</b>, respectively. diff --git a/testing/tests/swanctl/crl-to-cache/evaltest.dat b/testing/tests/swanctl/crl-to-cache/evaltest.dat new file mode 100644 index 000000000..fa61f19fb --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/evaltest.dat @@ -0,0 +1,8 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO +moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES +carol::cat /var/log/daemon.log::certificate was revoked::YES +carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..61ff4005b --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + cache_crls = yes +} diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..e84508d19 --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,23 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..60c368794 --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAoigAwIBAgIBMDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE0MDgyNzE1MDUzNloXDTE5MDgyNjE1MDUzNlowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDDBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALfz1DcXyt/sOALi1IZ/RcuPa5m+4fiSST2wVWWr +lw3hUjeiwLfgoLrtKaGX4i+At82Zol2mdbEXFpO+9qxXliP2u0fexqP4mBuZus3E +LA82EOL0lQ2ahAi8O3qafkDMBSgvoeJpEwNe00Ugh53g7hT7dw8tSgcPGqQkWutI +IKT9T6e/HbHNjRtYlw9ZlHsp8gSYjg/Q6vV6ofttueMUD9NRv8w2Y76rnRRmUGf3 +GlNFFmgxZntCJRuYltnxV7VcCFoppyauYt/fPmjAxbPRuhHKacnzIzq83Ixf5fSj +MTlluGCfWFX/NGENXamBqChkRLHmuCHNexxRp9s2F1S10hECAwEAAaOBhTCBgjAf +BgNVHSMEGDAWgBRdp91wBlEyfue2bbO15eBg6i5N7zAfBgNVHREEGDAWgRRjYXJv +bEBzdHJvbmdzd2FuLm9yZzA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBABxfR7BK9IlDFdycldmYVfL2W2U/2b5tEZx/n943wEhc+AM+J1bba3yTeo61 +6AOEhO7QeaNnsAY9ZIRHfH827Lk1dWjub88ze/rS7qmozStF23Rzs4BimeiMQ6xI +f1hJA1OiNXja2/lLijprevBY824Cd2iEq8LdU+9PIstsYKoLaSD/Ohilk4PGHIqX +unhdasBKogtvS/PxKWSq+qdEFgHjM70uaf1Tx6QnPS9sqo/qxAQqxKOLstRmXRd6 +ojkTNWRO1miG1rOQkMcc4L2nbsb8nYFrUFLw7PjeJ1ugPL6R+tVjp32OWqCwvWtP +SGaAJ/regpHs89VLbTKz1ybcqhw= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..61ff4005b --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + cache_crls = yes +} diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..47dd36684 --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,21 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + } + } + version = 2 + } +} diff --git a/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..ce570cef7 --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDoDCCAoigAwIBAgIBKzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTE0MDgyNzE0NDQ1NloXDTE5MDgyNjE0NDQ1NlowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk +fAX6xRdB0f5bBjN08zOmO7CEYa8eCyYFqHUhCw+x10v2BnKB6vOlMzW+9DiRtG68 +TdJlYt/24oRuJBX0gAGvzsv0kC9rnoQcgCJQy4bxaLNVsgoiFCVlzxLaYjABbQlz +oSaegm/2PoX+1UP37rG8wlvAcuLSHsFQ720FUs/LvZh4Y0FjoKhvgKs64U4nIAJ7 +MnuL29n5fM5+dem7uovQOBg/+faZo8QkYSK9MW6eQkP+YnwN5zItNBxyGwKPbXXw +Ey5/aqNWfhRY8IEG6HJgrnCwBMHUA14C2UV+Af7Cy4eNnC1Mmu7TmUYcFncXaFn0 +87ryFUdshlmPpIHxfjufAgMBAAGjgZkwgZYwHwYDVR0jBBgwFoAUXafdcAZRMn7n +tm2zteXgYOouTe8wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNV +HSUEDDAKBggrBgEFBQcDATA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0 +cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBAD7YFpbQoRC0nte5t/hpoaxiOwE4Wm+rKexOt8zbYhUc0Yrw6a89LELdqoa8 +vuSAxeHAUY4VmeWLOy7rSf/wURmjdMGO2su3Db+ZaOcrA8J5Oqxv3IAhdBcO4PUz +e0Lu2+f8RyKhKUQGpkSJBIlHhv0APN6TBX0R8cvvZ5XnFKj+GNd7fT4RN5Qjp+9H +f8kZboA3/Rg2+JcWOWgNu9sjqevoqjSJiDV8s3n5QO1VRZi32DAgSMAWWorDdKtd +uMPizLDy7W1nSQGf/vhXDkE95g689Md04dul6vAerCdsf389ckjthCIUqAPoLWn7 +XZnkIiV5xba29D9dTq0QElCzU+M= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/crl-to-cache/posttest.dat b/testing/tests/swanctl/crl-to-cache/posttest.dat new file mode 100644 index 000000000..210685a90 --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/posttest.dat @@ -0,0 +1,4 @@ +carol::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::rm /etc/swanctl/x509crl/* +carol::rm /etc/swanctl/x509crl/* diff --git a/testing/tests/swanctl/crl-to-cache/pretest.dat b/testing/tests/swanctl/crl-to-cache/pretest.dat new file mode 100644 index 000000000..8f72f9cc7 --- /dev/null +++ b/testing/tests/swanctl/crl-to-cache/pretest.dat @@ -0,0 +1,5 @@ +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/swanctl/crl-to-cache/test.conf index ce84ce41a..fdda0a04c 100644 --- a/testing/tests/ikev2/default-keys/test.conf +++ b/testing/tests/swanctl/crl-to-cache/test.conf @@ -5,17 +5,20 @@ # All guest instances that are required for this test # -VIRTHOSTS="alice moon carol" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c.png" +DIAGRAM="m-c-w.png" # Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon" +TCPDUMPHOSTS="" # Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" + +# charon controlled by swanctl +SWANCTL=1 diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf index 53883f79d..5fefdcdd2 100755 --- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf +++ b/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf @@ -16,7 +16,8 @@ connections { local_ts = 10.1.0.0/16 priority = 2 interface = eth0 - + policies_fwd_out = yes + esp_proposals = aes128gcm128-modp3072 } } @@ -32,15 +33,15 @@ connections { local_ts = 0.0.0.0/0 remote_ts = 0.0.0.0/0 interface = eth0 - priority = 4 + priority = 4 - mode = drop + mode = drop start_action = trap } pass-ssh-in { local_ts = 0.0.0.0/0[tcp/ssh] remote_ts = 0.0.0.0/0[tcp] - priority = 1 + priority = 1 mode = pass start_action = trap @@ -61,6 +62,6 @@ connections { mode = pass start_action = trap } - } + } } } diff --git a/testing/tests/swanctl/net2net-multicast/description.txt b/testing/tests/swanctl/net2net-multicast/description.txt new file mode 100644 index 000000000..82874321b --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +Using the <b>forecast</b> plugin additionally all 224.0.0.251 mDNS multicasts are going +to be tunneled. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, mDNS multicasts sent by <b>alice</b> are +received by <b>bob</b> and vice versa whereas unfortunately multicasts originating +from the gateways <b>moon</b> and <b>sun</b> themselves are not tunneled. diff --git a/testing/tests/swanctl/net2net-multicast/evaltest.dat b/testing/tests/swanctl/net2net-multicast/evaltest.dat new file mode 100644 index 000000000..e29f312ef --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/evaltest.dat @@ -0,0 +1,14 @@ +alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/16 224.0.0.251/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/32]::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES +alice::tcpdump::IP moon1.strongswan.org.*224.0.0.251::YES +alice::tcpdump::IP sun1.strongswan.org.*224.0.0.251::NO +bob::tcpdump::IP alice.strongswan.org.*224.0.0.251::YES +bob::tcpdump::IP sun1.strongswan.org.*224.0.0.251::YES +bob::tcpdump::IP moon1.strongswan.org.*224.0.0.251::NO diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bbd60d849 --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + multiple_authentication = no + plugins { + forecast { + groups = 224.0.0.251 + interface = eth1 + } + } +} diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..89d616c35 --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16,224.0.0.251/32 + remote_ts = 10.2.0.0/16,224.0.0.251/32 + mark_in = %unique + mark_out = %unique + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..48c4b8375 --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + + multiple_authentication = no + plugins { + forecast { + groups = 224.0.0.251 + interface = eth1 + } + } +} diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..68ba24a8b --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16,224.0.0.251/32 + remote_ts = 10.1.0.0/16,224.0.0.251/32 + mark_in = %unique + mark_out = %unique + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/net2net-multicast/posttest.dat b/testing/tests/swanctl/net2net-multicast/posttest.dat new file mode 100644 index 000000000..ba484f90d --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/posttest.dat @@ -0,0 +1,3 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null diff --git a/testing/tests/swanctl/net2net-multicast/pretest.dat b/testing/tests/swanctl/net2net-multicast/pretest.dat new file mode 100644 index 000000000..5b8d98879 --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/pretest.dat @@ -0,0 +1,7 @@ +moon::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships +sun::echo 1 > /proc/sys/net/ipv4/igmp_max_memberships +moon::service charon start 2> /dev/null +sun::service charon start 2> /dev/null +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-multicast/test.conf b/testing/tests/swanctl/net2net-multicast/test.conf new file mode 100644 index 000000000..579978772 --- /dev/null +++ b/testing/tests/swanctl/net2net-multicast/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice sun bob" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt b/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt new file mode 100755 index 000000000..2db82a941 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b> with signatures consisting of +<b>RSA-encrypted SHA-3 hashes</b>. +<p/> +Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat new file mode 100755 index 000000000..1d9bd6434 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..5b67bf37e --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..f24b3ebf3 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq +pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV +T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N +Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt +UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/ +XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY +v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA +G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp +qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V +/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK +8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/ +8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc +6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G +NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE +DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU +z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD +01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU +bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId +23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/ +Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p +F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA +29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/ +XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F +/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX +SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu +8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq +TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE +miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ +p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du +ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli +CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6 +dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH +gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY +3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc +gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN +vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV +E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..9034651e7 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..bea7e81f8 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky +MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v +cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6 +ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF +kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9 +ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE +6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS +4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW +GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA +bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP +tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf +BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u +LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw +N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz +LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT +UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo +tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs +jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl +noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2 +pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc +gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA +5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79 +ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf new file mode 100755 index 000000000..5b67bf37e --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem new file mode 100644 index 000000000..a694bbb8f --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/rsa/sunKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAuoGEVV6htuzLZd7oeZHYznMbBLffOz2l+t0XqHTUA44eM57K +ZZMDAcc0gZvZWVFNDmOWpXpxbSQozA8Dgb9b9BYkNWHKW11rwSHq5mzmjBME394p +DvzdV3tMmSGrhS00EyFWXLnpqrvkNTtiIm6nNHidrqM4ixbXiebOjDi3Z1vIJHOu +MiUBe8KvZ7p8q4MpRADpEB565NWd+5/Yy4DECepBcmQn+9Pn/6FvdYfodBin9QyO ++7xsgQlnx6XI1HeiMdB6EE8r4AOVbZWseEJkUo/ZhsQk5tIYKZB18vo/8nnAHn6r +ez+belmo4l/3hctRn8t08Lp7TRxnIUwGL8b8BxtAkR9T09duwE1KRt4h/PsCRx1H +WKN9g/KsOi8ZPrBiz+hoHhIv+pvQ4ciEuC1Zf6AelEUnI/Rh6RuIkEjuisNk6zL6 +Fi9J2RWDTXY5vJdUTbmQhoQpbmX3yWdJyLn9vLaK/IDhaguYOuiUHKY57jWXZwW/ +bD3a5wi08JLCb0ahAgMBAAECggGALeWxq1Cee2XKqEcy7rf1otiwzXhydyG0twex +ysL1aeqPhCSPqm+DTey3/y1bT5+yVtgrOo3nW/SKFa2cL1HoTykjv/9QzSswWVb/ +d7VVByOnD3CcqhOQZPby4rxmeV+mcQ7DMg6OcnXKs07p149jloYYR+HjCFeWs1kZ +e2h5ufXcSxwswipZMxu2DtDV3V9pyFJxCIZ3t9jaCBJOR8ZoeAguEviS3mZHsaEI +zOOlUOzAaI2uokS8bwThhUBHLAJEe5hglKtu5N1QGUo5x62wIK1+4McKqX5cphvW +63N5P7yB30hfc1xM9VP/fi5UzmgccNmHl3ErJX6EbHbVNUv0a/wI6cp+s/DQRZMc +Injr5BJIIFbzmqYST+UxEwtxUL7uV1s/eTXwsFxfQPJnx8rWbeyvGJHU6VykWJ2n +vHmOItgaw4Lm0iw5XH2g0QC7nYFW6qC5sk7LIS3xUzN73JWjV2Z1E5nLfKxZ9sXz +aA8WNrMSHUM/KkFaUri1xoH6gdABAoHBAPfA/gcZaoMemP06BIWKwgb/91GRsvc+ +slrmyZy+nq2bQaJw8oYyUmgWfh9X8pD6eVQN7jJBuA3BMg3L4Vn/R65rcwwYKA20 +pHgZF2MbwRlbBDtFQJe8kmwFu+TkHpGcoo94V6MdpbqoRKwQs66WOcjp4vzRLOL0 +ueynDrAPxpOaNIsr66s7xjd01VwEXYlfOfNBpOF/+3vN+O++k45/rnlEWgLeq6ie +1xkv9vZp4FuNf6gnBXcNhu8aDJvJEMfxnQKBwQDAtqgE9K7Rhq9ht8w8P+QZUGYL +c8mL4IGsPgmucuuheeWpmvLuAhsTxWBQhrO8/eEK4je+li6R/x0HYqgytsnOxlQH +xH8ZsvouPtacUF9pv8x7GLnGlvdxdQzmnjYqR5MzFEX/L8+8skiyY95V/kNiWE/T +X/Q8JgqyQ7VlykHtaToYchEhgY2m2Zxw6YhrI/ghtlP6NwOJDYsFxe7cfVvBQj9K +qtwAidr8pKSLyJFaot+dAdSqAYZxiO90aSt/i9UCgcEAjzv7YR1Xj+CjsFrXfGFB +VYysbnMelYSg1p7w1nb6BAJrir9j5yO2ssi2N+a/rQOyG19GY7XM897K0mEZss88 +oOEsDUT1+x6Bq5FODRVhqQgOxTl/Y3o46MzT2TvtVF/LN8jqWbptMyHPOe8aAoiF +dduKSIGiQsAbsW7PtggY1QLk98T3pfKT4UHhjCZV8XKlbTZ5XYmBWg01q11xr4Ov +2hojM9+KPJ1AXCZ3z/RcKnH+6LdOmIqwhRF5UqOG2SGdAoHAEA+pFTCnWUMWXtiI +pwTUJ9/xgUbXJ1dAt3A8MlPVm5GjOG13jaqTQySSEGQJmti15shPyQyPOQ/ABZuN +VRyy2Q7idftEdIncG/qUvFZefVvE2QWIhiqS2NvehWHuNbvdYsZvxwLfF2TsdiGo +qBYW251smbtHibPJ9G18Ms2WjQjWFK99CgPYIG3GggqUmglXZsfhW9s16jg8u/Bx +JeM0wHia+cgfqdPTcnbuV9ARfTJR3K4IYVrbL58wBc22GF05AoHAQvhfvtieWCJ8 +ATqOBjOcUHJ2WLiOslWsYOoqXy7v2YuVt8XFWAWZmLlzcC+8Tv79lCLpOmpiseQw +kP9Mihi+8T15AmRUUsPREeGb7wCDNbd/KixPimhnelNGPNAV+6DPonSa4WcF9jZk +nDa51PBPWCEPB5GHdbg/E5yiWMbr63bcTQNZxlRDaljNSRPp8xprs+JT1AIZI2wq +hEyK6IMjYIj80jB8JZIM7nNgRhzCKCo7RdR3JMb5tduOgzvEheC3 +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..2b9ddcf72 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem new file mode 100644 index 000000000..f1c086ee9 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509/sunCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIExjCCAy6gAwIBAgIBATANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzUzMFoXDTI2MDky +MjEwMzUzMFowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN1bi5zdHJvbmdzd2FuLm9y +ZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBALqBhFVeobbsy2Xe6HmR +2M5zGwS33zs9pfrdF6h01AOOHjOeymWTAwHHNIGb2VlRTQ5jlqV6cW0kKMwPA4G/ +W/QWJDVhyltda8Eh6uZs5owTBN/eKQ783Vd7TJkhq4UtNBMhVly56aq75DU7YiJu +pzR4na6jOIsW14nmzow4t2dbyCRzrjIlAXvCr2e6fKuDKUQA6RAeeuTVnfuf2MuA +xAnqQXJkJ/vT5/+hb3WH6HQYp/UMjvu8bIEJZ8elyNR3ojHQehBPK+ADlW2VrHhC +ZFKP2YbEJObSGCmQdfL6P/J5wB5+q3s/m3pZqOJf94XLUZ/LdPC6e00cZyFMBi/G +/AcbQJEfU9PXbsBNSkbeIfz7AkcdR1ijfYPyrDovGT6wYs/oaB4SL/qb0OHIhLgt +WX+gHpRFJyP0YekbiJBI7orDZOsy+hYvSdkVg012ObyXVE25kIaEKW5l98lnSci5 +/by2ivyA4WoLmDrolBymOe41l2cFv2w92ucItPCSwm9GoQIDAQABo4GcMIGZMB8G +A1UdIwQYMBaAFOTJzYzyiG0dpy7XXnkxpWZVNc4CMB0GA1UdEQQWMBSCEnN1bi5z +dHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBCBgNVHR8EOzA5MDeg +NaAzhjFodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tc2hhMy1y +c2EuY3JsMA0GCWCGSAFlAwQDDgUAA4IBgQACXiUqwisoOZUH3CPfi+aGaluK3mO7 +nj/gX5X9oE2JC3haWjbnC9fsKai72U8makp12xCpWjHsuiytVlXiiSCRxBGAaFm0 +cy2AI4Ttj+4+GAaI4BkqYBTApdSSXXUH3X4Lwb4LReX+16TsJ4E+d2U/j70gyGRK +F/KgkKj/Bi4F//4/uXHPbgp2istKmkQ4wlcUb5EdM0tUiAUwYGMhdUhSryq4+7y8 +1QaPGg0Zv3nvGgoj332BOczflmNzoonXcihZk97iMRc/TvBOoizvuH9COCSbw/AB +hnVG1lyTQjBAcE2U4MP5yUVuIqBgPnKtbyN3gf30Iq3g/ThVekchrYGO3PWMWAzS +ecfr2yN11BC6nDca039Yub41AuzQqBQR1gY5sHouXNTx4Bs0g4xk+3rGa8MMgI0+ +jXhDVAorQFYuACDuto6skRtkcmXJ/1psvVEv5dcKAHdZCNKkgtXe2XoVvrjNxnPw +MTVros8o+8Bz2R4qArLjwrZtvYI+czZx6dk= +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat new file mode 100755 index 000000000..30d10b555 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::service charon stop 2> /dev/null +sun::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat new file mode 100755 index 000000000..b128bef44 --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +sun::service charon start 2> /dev/null +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf new file mode 100755 index 000000000..07a3b247a --- /dev/null +++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt new file mode 100755 index 000000000..e9ea4aca5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>EAP-TLS</b> only using +<b>X.509 certificates</b> with signatures consisting of <b>RSA-encrypted SHA-3 hashes</b>. +<p/> +Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat new file mode 100755 index 000000000..51bf8c1ba --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..3b492f0d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/rsa/carolKey.pem new file mode 100644 index 000000000..db6c98d89 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/rsa/carolKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEAw7ArNq1Cs5RMc1MuHO5BZAIAc9v04THLSpCs+zNQlyJCXaij +siTQUbATyhgB5O11HKh69J8PRITx+dqIW/are3KGAKbvo8G5AgVOPhO+X3n7iOwT +PqtaAlAa4/qpVyD/RSfOiQPXj+SFtBz9Js36gZegcm/w3d0QVOPUIEMWpSMIHCAm +v6Ji/QHyOEVyOuiW0PTKVxqY8iFgnT8djDo0xWU40RNcIC7qyMkmGD8xR+kIbBcH +8akPB6NgNvFVUZPK4EQfr19JNAQp7KbPA6tlzRxR6z0eL57zRUU47g3cf9Ie1zNj +4FrIfv/+nA9ZVpR/DsGe3qmJvTVDfubaGkFE4AKxUEGcm0N4gHXo1PBj7hayJJSU +IuAfoIfmkorqrPTp3bRoH2NWmMveBU6W4c8Vocv4ceWmCsrodcNdzqcnU4QGFc9x +KPeiD232KeBZdpK4vs1ewkzftWmOVYUBG0X5oNNYoT54Qr8YXTWTI/3Rp7TbVGh7 +Z6iqH7hQ9gNGOe+NAgMBAAECggGAKuC3F0vviZm9Bqf7OquZ+GfX4YsYpR9cBAKf +ZIth5TvEfvEsrSQT4VJLg8Su5ZKCTr07883GcqUOwEh6CGyMNohphEsPxznzZ9Xx +xvhchl8cFmxj6x9woYEb40hRQp4gUO7f+nW1DfpssYKIlbAca7jlly2gAX0mzvL8 +z/TjSVvbsw34b5UNS5LZmCrfVLkSEscQbvWM/cECgnIJ72fxmC8NvAIZ9ZNSLpyk +lDuEeNU+2zBQtUrt2CacNm263B0dvHrW9QSTdi1GvIjxhc3ab8OT0ZDNzo/S2eRJ +InN77gwkYgEu1jeloBsicG4ZAAdbQU5/X4prnJIy2novnA/2C+hrmpYDhxqOT4Uk +AhoMiyvrJF6rxPZj+R5qzc4RUzZapcXUNzH0lCwtwd19Ogfw38LUkHCtqQQpleme +AL7FeVDXDu9oe6c5YrZihehT7p8ExKwlwiWy4u2bnoip77wOCuLo+D6eZpt64w4e +XiHpWtmkADqhfzMgt/WUMpD/+gcBAoHBAPTa6zMClhGP6su624Rv9HSVClacXR7d +zJNo5stnPierfcIZs8loWthR6AgGx36q9bOqtfIdFRc/PajF7oggnTcxMBZdCoU8 +Oi3vWEH+aIzIX3KICUjRYjj1kpm9xcy7XPGc6bEit+PM1DJ1jXCTiC30uQpavNxr +klV4+ROIt9MYsb3tQw7CO1mGNR37jAEUqbJ7sK2OnvmjZPJlwJs0AyN1j7ZUihDO +VT5UhjwB4KUH6BEirXTkoaDxZwsRfR5SaQKBwQDMmFm2M8J9AOxgrYTY80YIRQpy +vrcX7Xrzn4Lu8M8Xr6RlS5bbXApAH7WtRHGlIj14lItmvZpRSOTzawtn65AzeIUF +82/EMxLJaGjMBviTyNy+ta9wn8Qdy5c2ZZ5dKgsQ4PprSkAvNOnpd1wG48pbGg7/ +n3tVs9zdD2wa35KVjoyueu9Ls9BbND8v7OYmkmSNqFlA5KuLIeQkuLNxjxQsV5Vg +S8pyg1jlYs7KmYs9GIFHAVEf5LG6a/3huWfuR4UCgcAGWfdn51VFN1p71mkDUnQg +4gzWmk/AETjRShNSi2cNWGF2u3vyaYaRve4q5yIdowmkk3UMxrxZUgajbh714QKy +/8+jhN5U/m7z6hV8AMFthXUUX3r+LJBDsfsPieCrouCSU+Or+J6Uhieq92mn1eve +ZU63egsUHKY7GVw8qXs7OpTBvHnU1Cz98YFHOdMz4/lS6+p1VhHBn/9qWkFYxUyf +itkjfaXnMbL8XuzseY/+N+pJJ4EgWx3mMtzdaKK6OqECgcAttOdt1fhgFsG4A2vH +T+nYVRw1cDfVJ5+tJ3iHytJpFzshyhZEoTZFBxB+SekdnB2hf4X5COiduiwz2Tku +GSkY5pbJMo5IhaRvzFyFIBWOZnQyQsKT5Y1Znq8EXwVXCNp6BdjL+UWHhkmvd5Pe +kisV2Sd6ofVauxjfZd+fzUyhDryNCjfFcMFebrijC0iLW28NWou9/Jf6ODMQpRap +iu5Vzac4YRY0KPXGISHTjyPVHVFcPIYUGvI9lHyeXd5DFEUCgcA9s3ei/H000sC6 +3q5iELW8kxFCpwvu7uKCFfakAqQn8nponHEUgRS7eLjzS1NB0qysIiOMtZPAVMCz +puETLsi9PxD8de4RyEyZC2yd973j+TqFQmPyiWF3QNW55zM2iELW5sGeEVk/Z15c +nlItcy7KOJOJU0TAKvUUjr4ug5N7sVSN1aeF4tiaFz0GFIqV3qAkcTMfpaOKfuSc +huiHBdBaY7m4uNK4/ZOi1JitocO7wpRsX/eRJ4AuNrro8EHHAe0= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..229b6022c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = eap-tls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509/carolCert.pem new file mode 100644 index 000000000..94f2c0a19 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509/carolCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEtTCCAx2gAwIBAgIBAzANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzYwMloXDTI2MDky +MjEwMzYwMlowWTELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxHTAbBgNVBAMMFGNhcm9sQHN0cm9uZ3N3YW4u +b3JnMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAw7ArNq1Cs5RMc1Mu +HO5BZAIAc9v04THLSpCs+zNQlyJCXaijsiTQUbATyhgB5O11HKh69J8PRITx+dqI +W/are3KGAKbvo8G5AgVOPhO+X3n7iOwTPqtaAlAa4/qpVyD/RSfOiQPXj+SFtBz9 +Js36gZegcm/w3d0QVOPUIEMWpSMIHCAmv6Ji/QHyOEVyOuiW0PTKVxqY8iFgnT8d +jDo0xWU40RNcIC7qyMkmGD8xR+kIbBcH8akPB6NgNvFVUZPK4EQfr19JNAQp7KbP +A6tlzRxR6z0eL57zRUU47g3cf9Ie1zNj4FrIfv/+nA9ZVpR/DsGe3qmJvTVDfuba +GkFE4AKxUEGcm0N4gHXo1PBj7hayJJSUIuAfoIfmkorqrPTp3bRoH2NWmMveBU6W +4c8Vocv4ceWmCsrodcNdzqcnU4QGFc9xKPeiD232KeBZdpK4vs1ewkzftWmOVYUB +G0X5oNNYoT54Qr8YXTWTI/3Rp7TbVGh7Z6iqH7hQ9gNGOe+NAgMBAAGjgYkwgYYw +HwYDVR0jBBgwFoAU5MnNjPKIbR2nLtdeeTGlZlU1zgIwHwYDVR0RBBgwFoEUY2Fy +b2xAc3Ryb25nc3dhbi5vcmcwQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybC5z +dHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLXNoYTMtcnNhLmNybDANBglghkgBZQME +Aw4FAAOCAYEAHxkcN7plS2BvO/yXxE5WJ+2k9IP/IupuE6ChuFHDq5SrGNMsStsG +sGpV6/yxvLSHchNGnGMIOyLTMzKgWy5dnDy4YX2FqZkI8ZBa0FJ9iO2IxILCsmyw +ouShOv47YkNuAzJWIZjRz3+7mNhfX3TsdEr26cNKf1JqawTyFCDq0t/UYS6K/8O+ ++6Q1kmy2mRgR19XkxA0ts3xno+eeB0NelnVEjJwqZPFgmVYK/2T4fUKraJyQzwhp +xghLtlmwNuN6jetB4Z9k3hQQaPlUy2wxrqdsNfV9Ysgy+3LcI2ynoFMYShrS4avW +FI2z0hb8sDkvS4Knif4UCv14Gycb/8nSgiingEMU+UmPOxwUl79/99e4LvIaslp4 +S0AiLwe0Tz2NqQ6uhvVppw3lYptIt+EK042cYpm/CPTMlMhT+Pi8l/POWIdquNLp +85NuiVBbt3wMff+qTu+/ppyQsytTfDMD6XLggorLni/Owf9PoBakcdGuPW9MAUTf +6Idv0tl5T0qX +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..3b492f0d4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} + +libtls { + suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 +} diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/rsa/daveKey.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/rsa/daveKey.pem new file mode 100644 index 000000000..85ad0d826 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/rsa/daveKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5QIBAAKCAYEA2tDIPF4nBGWCGJrnrV1npIw4nz24u1siDlD1eS2o17sYTBnf +zQGkayW9dw/hhy3bGNrsGmuwr/lTMn1g3Kg+UQ0MNIWGPs3UWLeB5OBjQ4mWTmHK +l0Aov2QnFO5PT63f57qwZOBXMLJzIdOlBJku5kxBu0qYT/FsX40KR0QSzl5at7QH +5tJ81eBHuVaLEJrg5hYkqaDltGvisUeUozo5sijMfNvJUbwYQtL7UQrAMyFDAHqH +kx/RaOkOP58FdmzTihqRXLObVVrOMWq6pTARCssdDhcA/y2QtcQzftCbID9/+hMx +8yRyD0FbPcDC6CvrxVzUTyqBNjW9ZnrDfIxrqiRna7Fnjfq9gDYxYtDXGjvx1PdI +p1ZgiiiQ0BLWQV8w+ujKgM52wy8YMdnCTDdcIVmreo02amu4txX3wf9YAeGtQ5gN +QkJSooZEjwOnqVhiqNDEjxDgoEssAJ/VQtSwj37Ug1AFZ9bB2x+YNtC5b/Mj0Y4o +k7mO+ButDiTzkw53AgMBAAECggGACY1lwGTn1SRNSp+wj3vtY1yPuDvsjZlL4k4c +eT7KCSjsxZ23jG6O6/KI0+LImKsiznH4LqsW2ofK3wBkMx3RIp6sMrrFgoZfx8Oz +EvfMvY0LF77jJjkxzjEkF6DTq4nOpYIb4zt78u9HYWmo4YuCZaFcmT2Haq4CaiVx +Fm1dWM77rNtaIPR9aKTS3L9vcLkiKkk7LoCMppSzH8QdNAb9r85iJu09W6kXcgtd +10rd2x2PnDy9IGoaLTdHXPWnOmVDviFgCp9zxBk4g/SWDR2AdHOgg3D2mvOmFkVK +SLxr8RKhzzQfbRQuV4F3so9QVfkKyH8xsOpjAqjQwJC1LIWMJipzmc8o/AnUw0Rj +UvU1sDYV8MHimgoftG000vB72hws8tv/XQHl13Tig8y46lSOYxavBJZuHjPPhkQF +YlsfyUV5B11EmlyZ+KsNCHj9vXGRL6bw3Hu1UeG5cnXBXNkPq7ssNpgwdJrpqcW3 +8KWtl7w/b68ZLwyMpxKbmUNIyNkJAoHBAP9KBnqa91RA8gg0/Kp91NLiNXT9ibN3 +cQ6Y6HXuCWrKIKVKMmxRkhM9lMzOVfVVw5ydWZ3B5tzMiIfVCnyzs357vxBGsQEk +TQ9I/kdFuR1gSMZVbXSH1Cbf/Ealg7j/w5/3WpQSaszUN2dmkJ64I3iEWELjT/VV +RaxEhdNmZiRieOglkpvt+4X2Cr5oKXUofb11QX8bBmPnZklWUTuEfQu2KFc7T2im +2ZonJKdxRMMFcnHqS3StX8OYqK8qqTC9hQKBwQDbbMIAp2omxd+iiN4hCIgZ1mK3 +HzBBwam6A/ZLqbByB4Ch1TNRK959xtJW6FLibZPYCi12b1ILwjOVO7aQHKnhKItX +rhwAdhaBd3tJTxu2jDB0Bx1UkKbTDQ3bipnLY+VX/r/rMKbRsWgzejLs/CjafOj7 +OaFSpQOiQfOkpGKpwTab2H0CYqCMxK/4VYBP/NWwM0o0gaL5dJCjZ5i72CnHtmx7 +3D69TCieFY7RiDyf4Pix0tonwD5FfVHfH1SpjssCgcEAxJIcYQW4EhEcDIO4VhMj +7+msndOn1x/OVx4YSM4sRCU1c/Co2M0KfHQ7gmQSviD2yT5DxfyLJlL7ghPhylmY +iXkBiqfUHXv1NiLPYNPoER2Vi9o1uLfp/LEVkNRbk/SkjiUpgsCXqfZyXtUT4JML +BP5q874SUGcDif0NStUbK0MDtEVSGWzq8qCcbzbHTWYLQ/non9WQWxbPpQKo8/o1 +SvJNJ7YMlBl9jnw7dg76kmw8TkjJJyNkjLickpx3wIb9AoHBAIx01s6SW9nL6fZh +xEbC7lQTrobn2P0OmbWv2ZXfXknv0YBGOB4qhbZfcb8d4gh8+hldknJwmcVbH6fU +XG1tW7T8Pg33LoeBD7D6KZnooKW+oTl0YGsEWTVZ8tfopb/TBzjHolRLhU1PUZM6 +EqUuWHxbXsuJvWForaXMr8hhTaK6QlmKP6MqPPk+4iGFoagSATtT6Zkorokd+4QN +yW/c1Am6FUFH34VO3eUriYtIuP3ihW9WuDyfy3yx1pmLtab/9wKBwQDbBXYm9ugE +wRSIxCywJ+aPNRQKanCKORwQMNJZ80rrXIs7saomY4Os+utJpOhoksTJB7mAn3ij +kopmXn6NOsXdOlp9Ty55YRylGmOIQpsO7kSfylE1NFioHqksuQndbUwZFbskI0cN +egyoihqnbfoLyxGu1/M521IseW3AwFIc0gAGdQ7i4ZXVlXOXWvdZFxnpd6PAfFMb +J9mOicxHQ6Yv5b30RUvSIN+LHnUNGGk9XAxCH/jKtU7886jD6f34ru8= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..adf9326c7 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,28 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = eap-tls + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509/daveCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509/daveCert.pem new file mode 100644 index 000000000..c5c769cb5 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509/daveCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEszCCAxugAwIBAgIBBDANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzcwN1oXDTI2MDky +MjEwMzcwN1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMME2RhdmVAc3Ryb25nc3dhbi5v +cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDa0Mg8XicEZYIYmuet +XWekjDifPbi7WyIOUPV5LajXuxhMGd/NAaRrJb13D+GHLdsY2uwaa7Cv+VMyfWDc +qD5RDQw0hYY+zdRYt4Hk4GNDiZZOYcqXQCi/ZCcU7k9Prd/nurBk4FcwsnMh06UE +mS7mTEG7SphP8WxfjQpHRBLOXlq3tAfm0nzV4Ee5VosQmuDmFiSpoOW0a+KxR5Sj +OjmyKMx828lRvBhC0vtRCsAzIUMAeoeTH9Fo6Q4/nwV2bNOKGpFcs5tVWs4xarql +MBEKyx0OFwD/LZC1xDN+0JsgP3/6EzHzJHIPQVs9wMLoK+vFXNRPKoE2Nb1mesN8 +jGuqJGdrsWeN+r2ANjFi0NcaO/HU90inVmCKKJDQEtZBXzD66MqAznbDLxgx2cJM +N1whWat6jTZqa7i3FffB/1gB4a1DmA1CQlKihkSPA6epWGKo0MSPEOCgSywAn9VC +1LCPftSDUAVn1sHbH5g20Llv8yPRjiiTuY74G60OJPOTDncCAwEAAaOBiDCBhTAf +BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVgRNkYXZl +QHN0cm9uZ3N3YW4ub3JnMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwuc3Ry +b25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEzLXJzYS5jcmwwDQYJYIZIAWUDBAMO +BQADggGBAISXAxemOSUmXqkf7cgTQHpreMH1Y9LPJxZUUq5GVErmPzhLaZDSqZSy +ZXcu3EWPA0RElaYBd9CSgFx0I89tw41dIYOLDyLnrEDHmcsgcJl74YYBSzebB/TJ +OGXtV3S9M9OF1vSdugaXI1hDXck7cODUR6nyZAWOp5kBSItAH5bglCRtaQlAuSxM +wRWYhBErUR5tZvu0loCN+11hVg/ddQ3r+FeHUt35KNenxkd6hWlHljbPv/eTtqgc +/5VGEC96I2rD6WNcszj/SKK40zA9GuF1mIwNKEdcYnPRxoszlD6C7cdGJZ8VpJLc +d7sO0QJur5HNtj6oUbM3HuHAaZBjg7uh5GDj+RehhKCybYyJQ1fu4iRaNYKdPwZh +/F6hBRLytkt1qjJhngmBmQU4Ent8GL0Zn6Q8/HvbTP/xw4VXkY9JHdMIkzH8zokd +TVjkunPPt+zdzeMq4hOewYR8HfiKcAnNUG7eO6PnUvC2NKsqX8a7/z0OV68XybZs +gjC1FqvMvg== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..646ee0e4c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/rsa/moonKey.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/rsa/moonKey.pem new file mode 100644 index 000000000..f24b3ebf3 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/rsa/moonKey.pem @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4wIBAAKCAYEAnD3x6bsLjwUP9BU0+hDSo28XBn1aM8+UO5n5XnnuQ8CDB+Mq +pEHgNve71FBD8Gqf2dha5rfRx5HhXbw6BZMCTdUs5oxHsaOl5LGwp8W4G1BSxofV +T7yzfnmW/+lPER2zJnXbOlVfW8UoEbsAfXpCr/edJvBu10kk1VHjrnMJIDGlNc4N +Re06DcYSb/7AgRN6umPQr+uRzn5jFXJyROjx00gH89GzZIaNciyiYwaCZFBduByt +UhaL8RKMA+MxWrB1ICQgE7hITZXvJJg2UuEe+t3lXMSfKoZHyU2sTBtctXan6rf/ +XmC0O3Bf7RTwoFmDvJlApgfpL1QIe8gH1hi/NukTYskm+zWYPkJAzcwCyMmyhZFY +v0r0pybLWI1hZ8xeTr7MSbtImsvxl8mxwG7wRtWS5BKd0kke/gorCEI8AYZj33NA +G58iX4+z745z4UNNTDg1bnjB2fTw4c0AD7TOIU76ZskhGKj4J7ZMzeQ5YXLMFRmp +qn0p9obSqXwg62dXAgMBAAECggGAHb2g3efv5FKHXePniK5JGjkcPe0AjZo20j2V +/UjidN0hVBAG3ut3PZ9cjqaUuB/ju7j2XLKi6QU4y/n3ZXY9Wwl4GY6cWxEWk/jK +8rStPe3FQ+s5TItT84A7oQ0NMunfXzPR/kGf/D0ESpO5HSl3pj1RGcdsoehXbY+/ +8kYNd6Zbl2lYl3X3tgV9Hvp0NF2739z+LW5++7qNK9j0LW/WEGzGrr+9ESaXqCMc +6hKkIWo23MQArf6Ctunb4yWNEIFEDi1r9DzMbZN/lVhDx77Q0KYLH1P31R5rOc1G +NYXPF4F3CSfUsgd48dB2/1FCTnDJ4PmOU/R1L8jAgnSOroTAYDVzY4DJ7vyKGvIE +DL7eKlbwOfS5swyANUKgHO6QiHt9WzcNUGpeinTa3wJ4KoAdG+lzDMuiwRFdSRRU +z7t1ptTf2LuCAtva2daP2SPed+ITg2QB6X4BSQkqR0vPYBQIZAtFjMWH78E2PLrD +01+LpOj8TBRerd834etDODg4ddiRAoHBAMiYg7hWfChw3SdnmAmkhDAZN80pvsUU +bzzAiQ5EI59JYMoi/amYyLd6hUK4Z8g4gcdXzBYw9iwJuj8LMpPBZlplAxVnFdId +23I+GNDmcX2ovOpl6skKy1grNhBigxRUQUGsS9oxrYeuy2VymDzeZPCQmrrhsXk/ +Mac237nncJj2n8I5RtDOoSOFD0+grs7MXs4P+W2HHzWgkN7mBgKeFfUPLI3Kyy3p +F7tXegtJqIJsXlfZ/fzR40QTy7/VbwAW/wKBwQDHZVDYtYe4YoHKdwtAqs/J08QA +29fGkM4ZawLNTY4jz9rdtOuBWg0FPAo82x21xlbRQLsaTKzy9O6a3cQ5oaKtKCh/ +XmKCssrnzJsYZYnhkP4f4VXK8nai/9LFo8TWhB8hNy62GGmfXffsqhAIqIqZA02F +/mOfR6Wrqs7yfzYnJnVsjbR1B2zSiNAYKtk1VtQdGjuagSn/dEyhSCaQRXotXUKX +SJDzPf/H2mj97Cg+3bCtdE/h//N1/cmV/5QEx6kCgcEAh1ua7oW1bBiUsuVNi5wu +8sHhjJiRuS0LzsPg9/Z0zyRVorCv2IRXVK/hQl9q8Ilo0VnmRkctphO+UJI+w8Nq +TK8CwKt55vnsvY83cac+h9uX9tdk8dpN0qX96lp/NvWPv0ADQy3oebkyWLdWESTE +miwJrPdkqXtCByKZHzoUGbO5o/bAWWBFDdHYvhOgQb1Yb9YJqqXWInrBpxcykQuZ +p25g0yE3rzgtomXp3boLck6r7r4TjEkZATQWddERAM+DAoHAEW4w6BDOYXbzA6Du +ceO8sFb7vlt5fFkyOxSYtRu/fi/wYQssvy0BEGEUQAejjD1fX4F6Ga10PPTeWtli +CuuvTdXB3IiCsgwxIpxHPpW5vOcw39aR6mDRsCQO58oOLfZ0xjGNustdiFntj1m6 +dxdMrl2UjE8VpFneCKiw2I/4SunYv/mPOd/BSpI9Jq+wNzJ07mpZpYL/Cd6/yCWH +gXshWA/b/1+PlEPqNS1JmlDnn78/b5pIVWhLfxgFZEBoTxapAoHAY/58nLcWpvpY +3IZC0fBuR7usTACbxr9Z4okHzJUNnoJe+MSE+wQwuE3nP+vc1CrmBSwCjN2wyVLc +gy3idN77NthU9l0oElrPbGFKdFEaa85IcKtnfnspzmvo9AJn2wveZUAlZAzu2zBN +vKI8ubXgoS56uHQnNsWOIugTW/P1I8FnlD4jPItaACGJ3yZWolh9g/WOGS29qJvV +E/6hT4QPPXPZFEnOKO0/3YsMXBwcnEqm2mQ+c4rGMKrTcynk4KaE +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ec6b06bbc --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = eap-tls + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-tls + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509/moonCert.pem new file mode 100644 index 000000000..bea7e81f8 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509/moonCert.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIEyDCCAzCgAwIBAgIBAjANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjEwMzU0N1oXDTI2MDky +MjEwMzU0N1owWDELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5v +cmcwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQCcPfHpuwuPBQ/0FTT6 +ENKjbxcGfVozz5Q7mfleee5DwIMH4yqkQeA297vUUEPwap/Z2Frmt9HHkeFdvDoF +kwJN1SzmjEexo6XksbCnxbgbUFLGh9VPvLN+eZb/6U8RHbMmdds6VV9bxSgRuwB9 +ekKv950m8G7XSSTVUeOucwkgMaU1zg1F7ToNxhJv/sCBE3q6Y9Cv65HOfmMVcnJE +6PHTSAfz0bNkho1yLKJjBoJkUF24HK1SFovxEowD4zFasHUgJCATuEhNle8kmDZS +4R763eVcxJ8qhkfJTaxMG1y1dqfqt/9eYLQ7cF/tFPCgWYO8mUCmB+kvVAh7yAfW +GL826RNiySb7NZg+QkDNzALIybKFkVi/SvSnJstYjWFnzF5OvsxJu0iay/GXybHA +bvBG1ZLkEp3SSR7+CisIQjwBhmPfc0AbnyJfj7PvjnPhQ01MODVueMHZ9PDhzQAP +tM4hTvpmySEYqPgntkzN5DlhcswVGamqfSn2htKpfCDrZ1cCAwEAAaOBnTCBmjAf +BgNVHSMEGDAWgBTkyc2M8ohtHacu1155MaVmVTXOAjAeBgNVHREEFzAVghNtb29u +LnN0cm9uZ3N3YW4ub3JnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMEIGA1UdHwQ7MDkw +N6A1oDOGMWh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1zaGEz +LXJzYS5jcmwwDQYJYIZIAWUDBAMOBQADggGBAAHZATrdzGmUIq+0+EdA1AbPdcaT +UDKJvDS30JyOkUnAv5jr63PHyfw+RS92zgE2UyB4+u43BiggBNmTNCjpaEUmViAo +tdywkzIKm7q3dr0078IZ8LU8Wo+hoeRNkBJOxdgflsSislQYDeTd7syoQ4BW7whs +jjFK2Lbthd+/33Iw3LMekYuZF7ZUbHY7D3nlBidrmTIQQCvOnsW2lJi/S83FEYzl +noK+of3eo4Ryg1/428FHts26PxSmnHv+ckj9R4Jf5kH8kd1WhrgDyHQMnihWlUJ2 +pintDBgislbZytqiBOGeYpbpxKl57zHs421wmUs329asu7zgfJFnCynkUgvuRXdc +gDJ+DAiVaXCJlYnk36P87028SR9/C0JLzHA3O5CcfUdFEUs0BvVe1D3b9kC28rdA +5V86DFCL+gp6rB+wDtq6YnCddaNk+ZCs/QAPidqOFAytaBBKaagMIFk+wlsFge79 +ZssIfKy33Frluw0HCj0LNs2tjWvG4Ku8xkFO1Q== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem new file mode 100644 index 000000000..29ad5b942 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEazCCAtOgAwIBAgIBADANBglghkgBZQMEAw4FADBXMQswCQYDVQQGEwJDSDEb +MBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MQ4wDAYDVQQLEwVTSEEtMzEbMBkG +A1UEAxMSc3Ryb25nU3dhbiBSb290IENBMB4XDTE2MDkyMjA5NDA1NVoXDTMxMDky +MjA5NDA1NVowVzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJv +amVjdDEOMAwGA1UECxMFU0hBLTMxGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBD +QTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAJpHGoOCJSiZoJhPXHqF +XWvrY8zyGwlUCiwphOobq4nhqo2EchTuKdPvCckxtXp/pF5IJsXpptbMmNUmgN7K +VMI/zmI9estFUZg8hn5LSMAbnm102W3xLzM6FRJWMcwe2gajg/NCww02mPsohONC +R4nNMUgYOZdesPDmtYUKk3sr5ZNdpBL6hESBMzFYmYLBzaoeseuzra7U850tF9JU +YfpJStBXNDz8iVPCqOkgKf1hFrPNNxtmsBW68V2ARmYNzqnaP3nLs/U43zZQiT6t +b+zcAE1h6RGgVXjF1b1KG64J153n0YELrC2TpaF2JAGQVvzQgxoZbgiWCKt0m7wx +Qb7P3euy8MxsMGmqHDMtztrg6AAzRKoJN56qHqdP2qExc32uu/BwfmbFv7MLxKQw +g0VykfWBSNyx/2HMDHw79idgFpzHr2nj4CDqB6QLWtRMCWtlT8R7rlz5JlcsJY1U +7Rlwokje9Ctj/5gToXctnLbo+j2506GLtbhxNOaH1s7GswIDAQABo0IwQDAPBgNV +HRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU5MnNjPKIbR2n +LtdeeTGlZlU1zgIwDQYJYIZIAWUDBAMOBQADggGBAF+Q4zABKa1ZWohHqsTgru6v +4ru0Pnfbmg3vhlc5ur93Sd0C+fX+e+78n+0QpUNa0N9Vw54r/aF4ki0ceL4Dl4w0 +aXcDa2ozl/hksSeKwIp14W/NHTAjzP2aNpN5/dqd1DM+vojJhlcArepuVVH+NIKt +YYUXwvsjJN9OAAKkMCbnda8gOnKMGJkVIUOTz2DOyzqd5iQ3h3zxzluP4KIya5/k +FZV0wXy8v7phLGgbPJ5DtGuTCjao7+nF6lLkJ+/l3vPC1luB4/UbMGML4GxVwVIM +riCepPT1I9CNuHy2qKpsEmCv8zb5pxXrxv0uIYn8MZx7VCnLuD61AOqIExTYvxv2 +Z3JbOuOsgHJeMKJbhY8r8HkktNLOeLrOW2KSilNpE915EFN0exGMC3zG4IgzRc9u +kGGDVV9BsTkAYjQrWBuuWqxy8TCRPNpe6hnVJIQLLjE9M1V/PW3MD5ObndgT8jA3 +sMMwCxo+S11MZIcKCgnCCcGhgTLT7rFpC0hwRa6dkA== +-----END CERTIFICATE----- diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat new file mode 100755 index 000000000..762c35418 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-newhope-bliss/description.txt b/testing/tests/swanctl/rw-newhope-bliss/description.txt new file mode 100755 index 000000000..0a7f2489c --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/description.txt @@ -0,0 +1,14 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The IKEv2 key exchange is based on the NewHope lattice-based post-quantum algorithm +with a cryptographical strength of 128 bits. Authentication is based on the BLISS +algorithm with strengths 128 bits (BLISS I), 160 bits (BLISS III) and 192 bits (BLISS IV) for +<b>carol</b>, <b>dave</b> and <b>moon</b>, respectively. +<p> +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload. +The gateway <b>moon</b> assigns virtual IP addresses from the pool 10.3.0.0/28 in a monotonously +increasing order. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping +the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two +pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat new file mode 100755 index 000000000..be3b867a3 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.1] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=NEWHOPE_128.*remote-vips=\[10.3.0.2] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]::YES +alice::ping -c 1 10.3.0.1::64 bytes from 10.3.0.1: icmp_.eq=1::YES +alice::ping -c 1 10.3.0.2::64 bytes from 10.3.0.2: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf new file mode 100755 index 000000000..00576a842 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der Binary files differnew file mode 100644 index 000000000..b2831a8ed --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/bliss/carolKey.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..5706eda18 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = carolCert.der + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-newhope128 + } + } + version = 2 + proposals = aes256-sha256-newhope128 + fragmentation = yes + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der Binary files differnew file mode 100644 index 000000000..8a520c0b4 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509/carolCert.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..fdfd39f13 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/swanctl/x509ca/strongswan_blissCert.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf new file mode 100755 index 000000000..83cfb4ee0 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der Binary files differnew file mode 100644 index 000000000..0ec528ddf --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/bliss/daveKey.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..13407ed44 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,29 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + vips = 0.0.0.0 + + local { + auth = pubkey + certs = daveCert.der + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-newhope128 + } + } + version = 2 + proposals = aes256-sha256-newhope128 + fragmentation = yes + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509/daveCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509/daveCert.der Binary files differnew file mode 100644 index 000000000..75a114339 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509/daveCert.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..fdfd39f13 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/swanctl/x509ca/strongswan_blissCert.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf new file mode 100755 index 000000000..98de2c921 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + send_vendor_id = yes + fragment_size = 1500 + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + pools = /usr/local/sbin/swanctl --load-pools + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der Binary files differnew file mode 100644 index 000000000..c989f91e5 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/bliss/moonKey.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..bce22d057 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + pools = rw_pool + + local { + auth = pubkey + certs = moonCert.der + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-newhope128 + } + } + version = 2 + proposals = aes256-sha256-newhope128 + fragmentation = yes + } +} + +pools { + rw_pool { + addrs = 10.3.0.0/28 + } +} diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509/moonCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509/moonCert.der Binary files differnew file mode 100644 index 000000000..d0ea364b0 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509/moonCert.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der Binary files differnew file mode 100644 index 000000000..fdfd39f13 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/swanctl/x509ca/strongswan_blissCert.der diff --git a/testing/tests/swanctl/rw-newhope-bliss/posttest.dat b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat new file mode 100755 index 000000000..d7107ccc6 --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +dave::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-newhope-bliss/pretest.dat b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat new file mode 100755 index 000000000..a550a2f6d --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::cd /etc/swanctl; rm rsa/* x509/moonCert.pem x509ca/strongswanCert.pem +carol::cd /etc/swanctl; rm rsa/* x509/carolCert.pem x509ca/strongswanCert.pem +dave::cd /etc/swanctl; rm rsa/* x509/daveCert.pem x509ca/strongswanCert.pem +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +dave::service charon start 2> /dev/null +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-newhope-bliss/test.conf b/testing/tests/swanctl/rw-newhope-bliss/test.conf new file mode 100755 index 000000000..1227b9d1c --- /dev/null +++ b/testing/tests/swanctl/rw-newhope-bliss/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf index 1a8d3625e..b158ccdb3 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf index 1a8d3625e..b158ccdb3 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 diff --git a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf index ec18f448c..c6dd6be45 100644 --- a/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf +++ b/testing/tests/swanctl/rw-ntru-bliss/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = random nonce aes sha1 sha2 sha3 hmac ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown + load = random nonce aes sha1 sha2 sha3 hmac mgf1 ntru bliss x509 revocation pem pkcs1 curl vici kernel-netlink socket-default updown send_vendor_id = yes fragment_size = 1500 |