diff options
| author | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-05-19 13:37:29 +0200 |
|---|---|---|
| committer | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-05-19 13:37:29 +0200 |
| commit | 0a9d51a49042a68daa15b0c74a2b7f152f52606b (patch) | |
| tree | 451888dcb17d00e52114f734e846821373fbbd44 /testing | |
| parent | 568905f488e63e28778f87ac0e38d845f45bae79 (diff) | |
| download | vyos-strongswan-0a9d51a49042a68daa15b0c74a2b7f152f52606b.tar.gz vyos-strongswan-0a9d51a49042a68daa15b0c74a2b7f152f52606b.zip | |
Imported Upstream version 4.5.2
Diffstat (limited to 'testing')
135 files changed, 1825 insertions, 58 deletions
diff --git a/testing/Makefile.in b/testing/Makefile.in index cbb7555f0..67cdc194a 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -196,6 +196,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -219,6 +221,7 @@ soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/testing/do-tests.in b/testing/do-tests.in index 27ad200fb..2c5c07278 100755 --- a/testing/do-tests.in +++ b/testing/do-tests.in @@ -117,13 +117,7 @@ done KERNEL_VERSION=`basename $KERNEL .tar.bz2` IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2` -cat > $INDEX <<@EOF -<html> -<head> - <title>strongSwan UML Tests</title> -</head> -<body> - <h2>strongSwan UML Tests</h2> +ENVIRONMENT_HEADER=$(cat <<@EOF <table border="0" cellspacing="2"> <tr valign="top"> <td><b>Host:</b></td> @@ -148,9 +142,27 @@ cat > $INDEX <<@EOF <td > </td> </tr> @EOF +) -cat $INDEX > $TESTRESULTSHTML -cat >> $TESTRESULTSHTML <<@EOF +cat > $INDEX <<@EOF +<html> +<head> + <title>strongSwan UML Tests</title> +</head> +<body> + <h2>strongSwan UML Tests</h2> + $ENVIRONMENT_HEADER +@EOF + +cat > $TESTRESULTSHTML <<@EOF +<html> +<head> + <title>strongSwan UML Tests - All Tests</title> +</head> +<body> + <div><a href="index.html">strongSwan UML Tests</a> / All Tests</div> + <h2>All Tests</h2> + $ENVIRONMENT_HEADER <tr align="left"> <th>Number</th> <th>Test</th> @@ -213,6 +225,7 @@ do <title>strongSwan $SUBDIR Tests</title> </head> <body> + <div><a href="../index.html">strongSwan UML Tests</a> / $SUBDIR</div> <h2>strongSwan $SUBDIR Tests</h2> <table border="0" cellspacing="2"> <tr valign="top"> @@ -455,8 +468,9 @@ do <title>Test $testname</title> </head> <body> -<table border="0" width="600"> +<table border="0" cellpadding="0" cellspacing="0" width="600"> <tr><td> + <div><a href="../../index.html">strongSwan UML Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div> <h2>Test $testname</h2> <h3>Description</h3> @EOF @@ -576,9 +590,6 @@ do cat >> $TESTRESULTDIR/index.html <<@EOF </td></tr> - <tr><td align="right"> - <b><a href="../index.html">Back</a></b> - </td></tr> </table> </body> </html> @@ -670,7 +681,7 @@ do cat >> $TESTRESULTSHTML << @EOF <tr> <td>$testnumber</td> - <td><a href="$testname/">$testname</a></td> + <td><a href="$testname/index.html">$testname</a></td> <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td> <td> </td> </tr> @@ -678,7 +689,7 @@ do cat >> $SUBTESTSINDEX << @EOF <tr> <td>$testnumber</td> - <td><a href="$name/">$name</a></td> + <td><a href="$name/index.html">$name</a></td> <td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td> <td> </td> </tr> @@ -705,11 +716,16 @@ done # cat >> $TESTRESULTSHTML << @EOF + <tr> + <td> </td><td> </td><td> </td><td> </td> + </tr> + <tr> + <td><b>Passed:</b></td><td><b><font color="green">$passed_cnt</font></b></td><td> </td><td> </td> + </tr> + <tr> + <td><b>Failed:</b></td><td><b><font color="red">$failed_cnt</font></b></td><td> </td><td> </td> + </tr> </table> - <p> - <b>Passed: <font color="green">$passed_cnt</font></b><br> - <b>Failed: <font color="red">$failed_cnt</font></b><br> - <p> </body> </html> @EOF diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index 023b71750..182feab7d 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -182,6 +182,11 @@ then echo -n " --enable-eap-ttls" >> $INSTALLSHELL fi +if [ "$USE_EAP_PEAP" = "yes" ] +then + echo -n " --enable-eap-peap" >> $INSTALLSHELL +fi + if [ "$USE_EAP_TNC" = "yes" ] then echo -n " --enable-eap-tnc" >> $INSTALLSHELL @@ -307,6 +312,16 @@ then echo -n " --enable-ha" >> $INSTALLSHELL fi +if [ "$USE_AF_ALG" = "yes" ] +then + echo -n " --enable-af-alg" >> $INSTALLSHELL +fi + +if [ "$USE_WHITELIST" = "yes" ] +then + echo -n " --enable-whitelist" >> $INSTALLSHELL +fi + if [ "$USE_CISCO_QUIRKS" = "yes" ] then echo -n " --enable-cisco-quirks" >> $INSTALLSHELL diff --git a/testing/testing.conf b/testing/testing.conf index b078ab2c0..9b5609424 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.36.2.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.38.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` # Kernel configuration file -KERNELCONFIG=$UMLTESTDIR/.config-2.6.36 +KERNELCONFIG=$UMLTESTDIR/.config-2.6.38 # Bzipped uml patch for kernel -UMLPATCH=$UMLTESTDIR/ha-2.6.36.patch.bz2 +UMLPATCH=$UMLTESTDIR/ha-2.6.37.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.5.1.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.5.2.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -44,6 +44,7 @@ USE_EAP_IDENTITY="yes" USE_EAP_RADIUS="yes" USE_EAP_TLS="yes" USE_EAP_TTLS="yes" +USE_EAP_PEAP="yes" USE_EAP_TNC="yes" USE_TNC_IMC="yes" USE_TNC_IMV="yes" @@ -69,6 +70,8 @@ USE_CTR="yes" USE_CCM="yes" USE_GCM="yes" USE_HA="yes" +USE_AF_ALG="yes" +USE_WHITELIST="yes" USE_CISCO_QUIRKS="no" # Gentoo linux root filesystem diff --git a/testing/tests/af-alg-ikev1/alg-camellia/description.txt b/testing/tests/af-alg-ikev1/alg-camellia/description.txt new file mode 100644 index 000000000..a9633ee84 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite +<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and +<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat new file mode 100644 index 000000000..93f82906e --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat @@ -0,0 +1,11 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES +moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(camellia)::YES +moon::ip xfrm state::enc cbc(camellia)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..cf51269a5 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=camellia128-sha256-modp2048! + esp=camellia128-sha256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..04c2358ed --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..5571dc086 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=camellia128-sha256-modp2048! + esp=camellia128-sha256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..04c2358ed --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/af-alg-ikev1/alg-camellia/test.conf b/testing/tests/af-alg-ikev1/alg-camellia/test.conf new file mode 100644 index 000000000..6abbb89a9 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/af-alg-ikev1/rw-cert/description.txt b/testing/tests/af-alg-ikev1/rw-cert/description.txt new file mode 100644 index 000000000..d0c5e9200 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b> +of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric +encryption and hash functions whereas roadwarrior <b>dave</b> uses the default +<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat new file mode 100644 index 000000000..1a9b9159f --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IPsec SA established::YES +dave::ipsec statusall::IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..80dae3719 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=3des-sha1-modp1536! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..fd687c13a --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..73167caad --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5cc54b24f --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + integrity_test = yes + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f365b07da --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fd687c13a --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev1/rw-cert/posttest.dat b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/af-alg-ikev1/rw-cert/pretest.dat b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/af-alg-ikev1/rw-cert/test.conf b/testing/tests/af-alg-ikev1/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/af-alg-ikev2/alg-camellia/description.txt b/testing/tests/af-alg-ikev2/alg-camellia/description.txt new file mode 100644 index 000000000..b3515c333 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 / +HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as +the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> +in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat new file mode 100644 index 000000000..d77c4806e --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat @@ -0,0 +1,11 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ip xfrm state::enc cbc(camellia)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..37f8a7ecf --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..3cd390829 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f8d7e3fe9 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3cd390829 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat new file mode 100644 index 000000000..3c3df0196 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/af-alg-ikev2/alg-camellia/test.conf b/testing/tests/af-alg-ikev2/alg-camellia/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/af-alg-ikev2/rw-cert/description.txt b/testing/tests/af-alg-ikev2/rw-cert/description.txt new file mode 100644 index 000000000..d0c5e9200 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b> +of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric +encryption and hash functions whereas roadwarrior <b>dave</b> uses the default +<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4a8baa3ae --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha1-modp1536! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1c71b885f --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..42f03aab3 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..e483eba9d --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + integrity_test = yes + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e84f2e6a --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1c71b885f --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev2/rw-cert/posttest.dat b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/af-alg-ikev2/rw-cert/pretest.dat b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/af-alg-ikev2/rw-cert/test.conf b/testing/tests/af-alg-ikev2/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat index 7256743ac..3fb52f927 100644 --- a/testing/tests/ha/both-active/evaltest.dat +++ b/testing/tests/ha/both-active/evaltest.dat @@ -1,13 +1,13 @@ -moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES -alice::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES -alice::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES +alice::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES +alice::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES +moon::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES carol::ipsec statusall::home.*ESTABLISHED::YES dave::ipsec statusall::home.*ESTABLISHED::YES -alice::cat /var/log/daemon.log::HA segment 1 activated::YES moon::cat /var/log/daemon.log::HA segment 2 activated::YES -alice::cat /var/log/daemon.log::installed HA CHILD_SA::YES -moon::cat /var/log/daemon.log::handling HA CHILD_SA::YES +alice::cat /var/log/daemon.log::HA segment 1 activated::YES +moon::cat /var/log/daemon.log::installed HA CHILD_SA::YES +alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-md5/description.txt b/testing/tests/ikev2/rw-eap-peap-md5/description.txt new file mode 100644 index 000000000..7f9ade88a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on <b>EAP-MD5</b> (phase2 of EAP-PEAP). +<p/> +With the setting <b>charon.plugins.eap-peap.phase2_piggyback = yes</b> the server <b>moon</b> +initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request +right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password +and succeeds whereas client <b>dave</b> chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat new file mode 100644 index 000000000..0908e1c97 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2f8b9dfda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3a29329d5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d5631a9f5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..129486c05 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftauth=eap-peap + leftfirewall=yes + rightauth=eap-peap + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..68d2cd95a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no + plugins { + eap-peap { + phase2_method = md5 + phase2_piggyback = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat new file mode 100644 index 000000000..369596177 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt b/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt new file mode 100644 index 000000000..ef2d24f2f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on <b>EAP-MSCHAPv2</b> (phase2 of EAP-PEAP). +<p/> +Client <b>carol</b> presents the correct MSCHAPv2 password and succeeds whereas client +<b>dave</b> chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat new file mode 100644 index 000000000..8743b9643 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2f8b9dfda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2cbfb2484 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3a29329d5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d5631a9f5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2cbfb2484 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..129486c05 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftauth=eap-peap + leftfirewall=yes + rightauth=eap-peap + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..19d12447f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no + plugins { + eap-peap { + phase2_method = mschapv2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat new file mode 100644 index 000000000..369596177 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/description.txt b/testing/tests/ikev2/rw-eap-peap-radius/description.txt new file mode 100644 index 000000000..89db03a38 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then set up an <b>EAP-PEAP</b> tunnel each via <b>moon</b> to +the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate. +The strong EAP-PEAP tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>. +<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the +wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat new file mode 100644 index 000000000..39a24f15e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat @@ -0,0 +1,21 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..df50901d5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,18 @@ +eap { + md5 { + } + default_eap_type = peap + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + peap { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b2eef5785 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3c8ea5c58 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d5631a9f5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fc8f84638 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d2d3058d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat new file mode 100644 index 000000000..dbe56013a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat new file mode 100644 index 000000000..cbe1ae229 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -0,0 +1,11 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/radiusd start +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf new file mode 100644 index 000000000..e6a786a94 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice carol winnetou dave moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat index a02755148..f7d78d1ca 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat @@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config index a5a9a68f3..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config @@ -1,3 +1,4 @@ #IMC configuration file for strongSwan client -IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "Dummy" /usr/local/lib/libdummyimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config index a5a9a68f3..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config @@ -1,3 +1,4 @@ #IMC configuration file for strongSwan client -IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "Dummy" /usr/local/lib/libdummyimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..d00491fd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy new file mode 100644 index 000000000..d8215dd3c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy @@ -0,0 +1,40 @@ +#FTP - File Transfer Protocol +TCP 20 = whatever +TCP 21 = close + +#SSH - Secure Shell +TCP 22 = whatever + +#Telnet +TCP 23 = close + +#E-Mail +# +#SMTP - Simple Mail Transfer Protocol +TCP 25 = close +TCP 587 = close +#POP3 - Post Office Protocol version 3 +TCP 110 = close +TCP 995 = close + +#DNS - Domain Name System +UDP 53 = close +TCP 53 = close + +#BOOTP/DHCP - Bootstrap Protocol / +#Dynamic Host Configuration Protocol +UDP 67 = close +#UDP 68 = open +UDP 68 = whatever + +#www - World Wide Web +#HTTP - Hypertext Transfer Protocol +TCP 80 = close +#HTTPS - Hypertext Transfer Protocol Secure +TCP 443 = close + +#examples +TCP 8080 = close +TCP 5223 = whatever +UDP 4444 = close +UDP 631 = whatever diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..122d798b3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config index ac436a344..140caa98f 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config @@ -1,3 +1,4 @@ #IMV configuration file for strongSwan server -IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "Dummy" /usr/local/lib/libdummyimv.so +#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat index ce897d181..9896b1e4a 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat @@ -6,9 +6,9 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat index f1753c208..e3c482441 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat @@ -5,8 +5,10 @@ carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/3 dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'no access'::YES moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..573541ac9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +0 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat index bbc0603b6..c871bb6da 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat @@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..573541ac9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +0 diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat index 737c9b9ef..d334a9b97 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat @@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..d00491fd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy new file mode 100644 index 000000000..d8215dd3c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy @@ -0,0 +1,40 @@ +#FTP - File Transfer Protocol +TCP 20 = whatever +TCP 21 = close + +#SSH - Secure Shell +TCP 22 = whatever + +#Telnet +TCP 23 = close + +#E-Mail +# +#SMTP - Simple Mail Transfer Protocol +TCP 25 = close +TCP 587 = close +#POP3 - Post Office Protocol version 3 +TCP 110 = close +TCP 995 = close + +#DNS - Domain Name System +UDP 53 = close +TCP 53 = close + +#BOOTP/DHCP - Bootstrap Protocol / +#Dynamic Host Configuration Protocol +UDP 67 = close +#UDP 68 = open +UDP 68 = whatever + +#www - World Wide Web +#HTTP - Hypertext Transfer Protocol +TCP 80 = close +#HTTPS - Hypertext Transfer Protocol Secure +TCP 443 = close + +#examples +TCP 8080 = close +TCP 5223 = whatever +UDP 4444 = close +UDP 631 = whatever diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..122d798b3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config index 67896d543..140caa98f 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config @@ -1,4 +1,4 @@ #IMV configuration file for strongSwan server IMV "Dummy" /usr/local/lib/libdummyimv.so -IMV "HostScanner" /usr/local/lib/libhostscannerimv.so +#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat index ce897d181..1c8eebad5 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat @@ -6,9 +6,9 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat index 2c7a2dbd7..593ac4505 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat @@ -8,14 +8,16 @@ dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES -moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES -moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..d00491fd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +1 diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config index 67896d543..140caa98f 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config @@ -1,4 +1,4 @@ #IMV configuration file for strongSwan server IMV "Dummy" /usr/local/lib/libdummyimv.so -IMV "HostScanner" /usr/local/lib/libhostscannerimv.so +#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-whitelist/description.txt b/testing/tests/ikev2/rw-whitelist/description.txt new file mode 100644 index 000000000..6f52861e2 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/description.txt @@ -0,0 +1,3 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +<b>moon</b> uses whitelisting to grant access to <b>carol</b> with ID <b>carol@strongswan.org</b> +whereas since ID <b>dave@strongswan.org</b> is not listed, <b>dave</b> gets rejected. diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat new file mode 100644 index 000000000..733cfd844 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -0,0 +1,19 @@ +moon::cat /var/log/daemon.log::whitelist functionality was already enabled::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES +moon::cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES +dave::ipsec status::home.*INSTALLED::NO +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::NO +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::NO +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::NO diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..0b4cded6c --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..938b45518 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown + plugins { + whitelist { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat new file mode 100644 index 000000000..1777f439f --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat new file mode 100644 index 000000000..c4ac77d77 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +moon::ipsec whitelist add alice@strongswan.org +moon::ipsec whitelist add bob@strongswan.org +moon::ipsec whitelist add carol@strongswan.org +moon::ipsec whitelist enable +moon::ipsec whitelist list +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" |