diff options
author | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-09 08:09:54 +0000 |
---|---|---|
committer | Rene Mayrhofer <rene@mayrhofer.eu.org> | 2010-08-09 08:09:54 +0000 |
commit | b8064f4099997a9e2179f3ad4ace605f5ccac3a1 (patch) | |
tree | 81778e976b476374c48b4fe83d084b986b890421 /testing | |
parent | 1ac70afcc1f7d6d2738a34308810719b0976d29f (diff) | |
download | vyos-strongswan-b8064f4099997a9e2179f3ad4ace605f5ccac3a1.tar.gz vyos-strongswan-b8064f4099997a9e2179f3ad4ace605f5ccac3a1.zip |
[svn-upgrade] new version strongswan (4.4.1)
Diffstat (limited to 'testing')
568 files changed, 3876 insertions, 726 deletions
diff --git a/testing/INSTALL b/testing/INSTALL index 68e13d84a..27db50013 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,14 +53,15 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.31.5.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.3.tar.bz2 - * The Linux kernel 2.6.31 does not require any patches for the uml guest kernel - to successfully start up. + * The Linux kernel 2.6.33.3 does not require any patches for the uml guest kernel + to successfully start up but the aes_gmac patch must be applied for + ESP AES-GMAC support. * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.31 + http://download.strongswan.org/uml/.config-2.6.33 * A gentoo-based UML file system (compressed size 130 MBytes) found at @@ -68,7 +69,7 @@ are required for the strongSwan testing environment: * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.3.6.tar.bz2 + http://download.strongswan.org/strongswan-4.4.1.tar.bz2 3. Creating the environment diff --git a/testing/Makefile.in b/testing/Makefile.in index c60f9b2ea..010f4c81b 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql index 0e880826d..eb41533cb 100644 --- a/testing/hosts/default/etc/ipsec.d/tables.sql +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -17,7 +17,7 @@ CREATE TABLE child_configs ( jitter INTEGER NOT NULL DEFAULT '180', updown TEXT DEFAULT NULL, hostaccess INTEGER NOT NULL DEFAULT '0', - mode INTEGER NOT NULL DEFAULT '1', + mode INTEGER NOT NULL DEFAULT '2', dpd_action INTEGER NOT NULL DEFAULT '0', close_action INTEGER NOT NULL DEFAULT '0', ipcomp INTEGER NOT NULL DEFAULT '0' @@ -183,12 +183,28 @@ CREATE TABLE leases ( released INTEGER NOT NULL ); +DROP TABLE IF EXISTS attribute_pools; +CREATE TABLE attribute_pools ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL +); + DROP TABLE IF EXISTS attributes; CREATE TABLE attributes ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + identity INTEGER NOT NULL DEFAULT 0, + pool INTEGER NOT NULL DEFAULT 0, type INTEGER NOT NULL, value BLOB NOT NULL ); +DROP INDEX IF EXISTS attributes_identity; +CREATE INDEX attributes_identity ON attributes ( + identity +); +DROP INDEX IF EXISTS attributes_pool; +CREATE INDEX attributes_pool ON attributes ( + pool +); DROP TABLE IF EXISTS ike_sas; CREATE TABLE ike_sas ( diff --git a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem deleted file mode 100644 index f2a6b5c22..000000000 --- a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xETAPBgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdz -d2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1 -ID41edDUgUjRdZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh -8ZcR+TT8x0mOdYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+D -Jl9XK9TtId5u57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yq -GdPWODaN/Enw5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1a -X7+M+IeYVwjIhzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4F -jR8nhH4ApYMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQA9OKM8HKu5Fp/HRsdS -3Z/tuLVjwijVq/OIge1PnoW7Ri2hnTpWeaWcU2wIexsxPJR6kYwqp9NfxM73uUUU -e/ROCU+kZxSuzfV3SMMI8bsjufuldxKUXs1B8Nit1Qkhhj1/4uN6FRzQ5E9vz0Yf -OuVVJxMIEgQRdBTcZ8Cuf23Mcq+sBa/2OXD/y6WTUNrXvjTjmGWv1LnryB6Ro8se -ndI7bIiMZ/sSOrhOWrii/655bpUSYIb0RCzOnbdNAevbn/bLMEpj0qiDSam88Y/6 -FIY5sDCsdlpHsI2vkIrvPo4PUE+yzBhezmrLbVoiHjVoZhr1h091777Bomg/oUxv -beEk ------END CERTIFICATE REQUEST----- diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt index 98aa9e3e4..844e001c7 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -1,6 +1,7 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org -V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old index 2a68119f8..3ebf4b191 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -1,5 +1,6 @@ -R 100322070423Z 100407091025Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org -V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA +V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem new file mode 100644 index 000000000..8eaa6c6b7 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7 (0x7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=CH, O=Linux strongSwan, OU=Research, CN=Research CA + Validity + Not Before: Jul 3 15:18:39 2010 GMT + Not After : Jul 2 15:18:39 2015 GMT + Subject: C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c2:4e:4d:26:99:8c:37:b9:51:1f:a1:25:ba:1d: + 70:4e:34:58:1c:56:9b:ea:f4:16:20:fe:14:b7:36: + 73:48:47:fd:07:16:9b:55:df:aa:77:3d:a9:a3:cf: + 1a:8c:4e:d8:17:f0:5e:01:44:1d:f3:9d:43:31:c6: + ba:d8:61:b2:f7:4c:3e:49:96:3f:56:77:b8:3a:f0: + b1:ca:ab:98:bc:aa:e0:92:3c:ed:ec:52:7a:7d:60: + 82:60:95:12:26:f9:e5:3e:1f:37:1a:d3:20:62:5a: + a1:ee:89:9f:db:fd:67:01:b6:07:e5:2b:de:71:40: + ff:07:5c:91:27:6a:27:17:3a:5c:bf:43:29:c4:64: + dd:3c:59:b6:ff:52:b8:37:ed:13:d1:bb:f3:b3:ba: + 3c:94:b2:7f:25:18:86:57:73:d4:46:5e:e4:f4:ec: + 52:80:1b:04:9d:03:0d:72:71:df:9e:b6:90:3b:5f: + 41:dc:1e:cd:ab:74:2c:0c:8e:b1:56:9b:62:af:f4: + 1b:f7:c1:67:02:cb:7a:be:2a:18:5d:be:dc:2b:2f: + 3f:b8:cd:5e:78:51:61:e4:af:db:ee:22:da:60:23: + 81:b0:51:23:50:37:8a:aa:14:dc:da:b5:bc:f0:2a: + ce:b7:a4:38:8f:d1:57:d1:eb:7b:d2:f5:af:c5:f5: + 74:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 5F:9B:13:46:F9:20:72:C8:00:D5:88:B5:A7:4C:2E:97:EA:0B:93:28 + X509v3 Authority Key Identifier: + keyid:E7:75:F0:A0:F2:AD:20:CD:CD:60:23:CC:C7:C8:0F:29:F3:DD:54:20 + DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA + serial:20 + + X509v3 CRL Distribution Points: + URI:http://crl.strongswan.org/research.crl + + Signature Algorithm: sha256WithRSAEncryption + 33:e2:05:f4:db:4e:41:f0:45:da:6d:e2:20:18:ff:0c:74:00: + a2:b0:9c:5e:b7:eb:ed:44:fa:6f:1d:1e:7d:47:85:35:3c:15: + 99:22:44:2b:11:49:17:71:aa:9c:e9:ac:c8:1a:ea:fe:e4:b1: + 5d:bd:08:82:69:4d:c8:9a:0f:8f:12:db:35:8d:b2:24:36:bd: + f3:41:e1:47:a7:1b:8c:0a:54:6f:3b:e3:60:90:6a:40:b3:66: + 4f:fb:32:b1:ee:b6:4f:95:0d:c3:77:a0:67:2e:e2:01:44:08: + fc:eb:66:26:0f:4d:5b:fb:e0:f0:85:45:f7:77:ed:26:25:5e: + 63:74:28:5d:08:bf:38:2e:d8:33:70:24:d3:03:01:ae:ac:1e: + cf:bf:f0:7f:fb:05:bc:c7:c5:46:64:4f:bc:eb:4e:ec:b8:33: + 91:46:20:a9:65:40:1c:40:2e:9f:fc:37:f2:cd:e2:fc:f4:65: + b2:e0:6c:d5:3b:12:8d:7a:12:29:1b:10:04:94:b3:74:9c:9a: + 76:be:74:50:52:7d:ec:5f:d0:6f:68:aa:f1:ef:c6:35:8f:89: + 94:70:e9:9a:d2:e5:36:64:00:4d:43:99:da:8b:5b:04:cd:ab: + f1:68:69:e0:d6:b2:59:60:01:da:8c:03:67:cb:ee:2f:6d:b0: + 51:d9:55:89 +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz +OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH +/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq +4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 +XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 +kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj +gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 +p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx +qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7 +MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD +Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16 +EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo +aeDWsllgAdqMA2fL7i9tsFHZVYk= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial index 2c7456e3e..adb9de8ee 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -1 +1 @@ -07 +08 diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old index cd672a533..2c7456e3e 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial.old +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -1 +1 @@ -06 +07 diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt index c4e05f253..314acd784 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt @@ -1,5 +1,6 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org -V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old index f377c3588..fd5485026 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old @@ -1,4 +1,5 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org -V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +R 100615195536Z 100703150410Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org +V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem new file mode 100644 index 000000000..3a40e2829 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA + Validity + Not Before: Jul 3 15:28:29 2010 GMT + Not After : Jul 2 15:28:29 2015 GMT + Subject: C=CH, O=Linux strongSwan, OU=Research, CN=Research CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:b6:39:b2:3a:a6:e0:07:5b:58:a7:3f:4f:b2:5a: + 85:6a:72:f7:1b:5d:3d:b1:e7:80:13:7a:95:b9:e9: + 61:a1:df:af:19:c6:b2:f9:83:14:21:59:1c:27:7b: + 7a:04:6a:43:f0:2e:24:71:dc:12:fd:c3:51:d7:c9: + 59:60:32:a5:59:d4:bd:d9:5c:a7:9f:21:06:3a:71: + 7d:33:d7:3f:d2:03:07:1c:d0:69:0c:94:ce:c1:31: + 20:65:8e:55:46:36:7b:bc:49:e4:12:81:9d:75:64: + a2:4d:e1:b5:8e:07:af:51:9d:a8:d8:7e:dc:b1:26: + 6d:e8:09:06:78:13:45:24:71:e0:f2:89:e7:81:4e: + fd:be:fc:2d:4c:c1:fa:b3:31:af:3c:70:fe:59:c8: + f2:31:26:02:d2:a5:ba:04:3b:73:d6:ae:31:e1:42: + cf:e3:66:95:27:e7:4a:85:a1:1c:de:6a:9b:ed:22: + 34:ac:b4:0b:ed:b9:22:e1:3c:36:af:a2:de:3b:41: + 88:8f:01:c0:1a:87:63:7b:b6:22:e7:e5:52:1f:4d: + 73:d7:7f:47:ab:c6:b1:13:cc:1e:cd:f4:5f:51:da: + fe:6d:14:83:8f:78:fb:0c:2a:c1:f1:01:65:18:f3: + c4:c9:8c:17:fd:52:1b:82:35:13:74:c3:38:9d:ec: + ae:39 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + E7:75:F0:A0:F2:AD:20:CD:CD:60:23:CC:C7:C8:0F:29:F3:DD:54:20 + X509v3 Authority Key Identifier: + keyid:5F:9B:13:46:F9:20:72:C8:00:D5:88:B5:A7:4C:2E:97:EA:0B:93:28 + DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA + serial:21 + + X509v3 CRL Distribution Points: + URI:http://crl.strongswan.org/sales.crl + + Signature Algorithm: sha256WithRSAEncryption + b4:53:55:44:bc:6e:96:f7:36:bc:16:57:f6:88:13:a2:bd:32: + fb:57:d6:43:f3:31:46:d9:83:29:30:3a:6e:20:d6:37:c3:9a: + a6:cf:c3:6f:17:e9:86:44:49:0d:81:6c:6d:50:46:1d:d2:52: + 94:a8:4f:9b:e9:94:f7:03:e0:e0:af:dc:e4:4a:00:2c:c6:87: + 1e:31:7a:67:7b:4e:96:0f:f1:d9:e9:b5:f9:3a:e9:c7:c5:08: + ff:88:b7:4b:78:84:fe:39:06:a9:60:55:97:dd:e5:90:0e:fe: + 88:11:43:ed:ac:ef:d3:9b:73:95:cf:ab:f4:a1:1a:f0:a8:9c: + 65:4e:3c:3b:aa:91:6a:cf:fc:84:88:31:d0:57:14:7a:a4:5b: + 25:b6:e1:ef:ca:ce:ae:e9:3c:c1:b5:f0:47:2d:ec:d0:38:81: + 15:d2:89:6c:74:53:7d:e5:85:63:5a:b0:fb:d2:2a:d2:a0:0b: + a7:5c:99:13:6a:8f:24:c7:42:81:72:d3:61:4b:80:a3:f5:a7: + 6d:78:4e:12:e4:4a:bf:5d:80:74:fa:7b:af:51:ec:44:bd:56: + 29:f7:0d:48:0f:b8:97:65:5d:c6:b1:fc:15:a6:ea:02:ee:82: + a1:dc:5d:51:85:ca:e5:4f:90:34:a0:3d:db:3a:9b:42:90:70: + 45:67:b9:a5 +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT +CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf +rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID +BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx +4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q +m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha +/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM +x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB +ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B +bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4 +hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk +WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy +02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF +yuVPkDSgPds6m0KQcEVnuaU= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial index cd672a533..2c7456e3e 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial +++ b/testing/hosts/winnetou/etc/openssl/sales/serial @@ -1 +1 @@ -06 +07 diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old index eeee65ec4..cd672a533 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial.old +++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old @@ -1 +1 @@ -05 +06 diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index 16dd843b9..8a083e2ec 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -241,6 +241,11 @@ then echo -n " --enable-farp" >> $INSTALLSHELL fi +if [ "$USE_ADDRBLOCK" = "yes" ] +then + echo -n " --enable-addrblock" >> $INSTALLSHELL +fi + echo "" >> $INSTALLSHELL echo "make" >> $INSTALLSHELL echo "make install" >> $INSTALLSHELL diff --git a/testing/testing.conf b/testing/testing.conf index c7852d28f..55716ebaa 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -31,7 +31,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.33 UMLPATCH=$UMLTESTDIR/aes_gmac.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.4.0.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.4.1.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -56,6 +56,7 @@ USE_SOCKET_DEFAULT="yes" USE_SOCKET_DYNAMIC="yes" USE_DHCP="yes" USE_FARP="yes" +USE_ADDRBLOCK="yes" # Gentoo linux root filesystem ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2 diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 48b36cec7..dafa85bd1 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 48b36cec7..dafa85bd1 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 0113aa780..f0e57e827 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 6fcefc56a..208f1c36d 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 0113aa780..f0e57e827 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf index 774042329..3545a5734 100644 --- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } libstrongswan { diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf index 1f442a7dd..d84d916a5 100644 --- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw } pluto { diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf index 831790f1e..38db1e4fc 100644 --- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw } pluto { diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ike2/hosts/moon/etc/strongswan.conf b/testing/tests/ike2/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 161934454..000000000 --- a/testing/tests/ike2/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown - multiple_authentication = no -} diff --git a/testing/tests/ike2/hosts/sun/etc/strongswan.conf b/testing/tests/ike2/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 161934454..000000000 --- a/testing/tests/ike2/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown - multiple_authentication = no -} diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat index 14d576909..9c17ae903 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat @@ -3,5 +3,7 @@ moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_CCM_12_128::YES carol::ipsec statusall::AES_CCM_12_128::YES +carol::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon::ip xfrm state::aead rfc4309(ccm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat index e1fbe4653..da5d7c604 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat @@ -3,5 +3,7 @@ moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_GCM_16_256::YES carol::ipsec statusall::AES_GCM_16_256::YES +carol::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon::ip xfrm state::aead rfc4106(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat index 3ec271cf1..4678155ee 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*IPsec SA established::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES +carol::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon::ip xfrm state::aead rfc4543(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat index 92ef9fc55..9a5c5c7ee 100644 --- a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat +++ b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat @@ -1,14 +1,11 @@ -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES +carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES carol::ipsec status::home.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES dave::ip addr list dev eth0::PH_IP_DAVE1::YES dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db-push/pretest.dat b/testing/tests/ikev1/ip-pool-db-push/pretest.dat index 332280acd..4a2add194 100644 --- a/testing/tests/ikev1/ip-pool-db-push/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db-push/pretest.dat @@ -1,9 +1,9 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_WINNETOU 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null dave::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat index 357e01b2d..566bab972 100644 --- a/testing/tests/ikev1/ip-pool-db/evaltest.dat +++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat @@ -1,14 +1,11 @@ -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES +carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES carol::ipsec status::home.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES dave::ip addr list dev eth0::PH_IP_DAVE1::YES dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat index 332280acd..190672652 100644 --- a/testing/tests/ikev1/ip-pool-db/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db/pretest.dat @@ -1,9 +1,10 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_WINNETOU 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --statusattr moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null dave::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf index 2f772cfdd..ce760a473 100755 --- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf @@ -20,30 +20,32 @@ conn %default conn carol-alice also=carol leftsubnet=10.1.0.10/32 + rightsourceip=10.3.0.1 auto=add conn carol-venus also=carol leftsubnet=10.1.0.20/32 + rightsourceip=%carol-alice auto=add conn carol right=%any rightid=carol@strongswan.org - rightsourceip=10.3.0.1 conn dave-alice also=dave leftsubnet=10.1.0.10/32 + rightsourceip=10.3.0.2 auto=add conn dave-venus also=dave leftsubnet=10.1.0.20/32 + rightsourceip=%dave-alice auto=add conn dave right=%any rightid=dave@strongswan.org - rightsourceip=10.3.0.2 diff --git a/testing/tests/ikev1/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat index 7de32d681..3135a18fb 100644 --- a/testing/tests/ikev1/mode-config-push/evaltest.dat +++ b/testing/tests/ikev1/mode-config-push/evaltest.dat @@ -1,4 +1,6 @@ carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf index 36a4e2fb1..594f2c59b 100755 --- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default ikelifetime=60m keylife=20m rekeymargin=3m + rekey=no keyingtries=1 conn home diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..797025c4d --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat index 69f77946e..7355a0560 100644 --- a/testing/tests/ikev1/mode-config/evaltest.dat +++ b/testing/tests/ikev1/mode-config/evaltest.dat @@ -1,6 +1,6 @@ carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -carol::cat /var/log/auth.log::received IPv6 DNS server address fec1\:\:20::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf index 10ae2261b..ce26fc5e9 100755 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + rekey=no left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftsourceip=PH_IP_MOON1 diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf index 21493adc3..797025c4d 100644 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ pluto { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr dns1 = PH_IP_WINNETOU - dns2 = PH_IP6_VENUS + dns2 = PH_IP_VENUS } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem index efb939e3a..37ef9c665 100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf @@ -13,12 +13,12 @@ m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB -AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr -Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup -Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg -pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL -rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S -uaJ2yDwEhOHn3ihb1bqlanM= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB +ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B +bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4 +hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk +WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy +02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF +yuVPkDSgPds6m0KQcEVnuaU= -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem index 90e207c4b..0a435b90d 100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- -MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx -MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz +OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH /QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq @@ -13,12 +13,12 @@ gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD -ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO -clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB -b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI -koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf -Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA -/szZoxwnE2iHtIoMAhfHZpRvOkg= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx +qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7 +MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD +Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16 +EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo +aeDWsllgAdqMA2fL7i9tsFHZVYk= -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf index c2d2b14ac..72ff765c3 100644 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 3ec745baa..72ff765c3 100644 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 x509 gmp random curl + load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt index 9abe6298c..191011747 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/description.txt +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt @@ -2,8 +2,8 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b> The authentication is based on Pre-Shared Keys (<b>PSK</b>) followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a -<b>virtual IP</b> via the IKE Mode Config protocol by using the -<b>leftsourceip=%modeconfig</b> parameter. +<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%modeconfig</b> +parameter. The virtual IP addresses are registered under the users' XAUTH identity. <p> Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat index 15dd054a0..4552cfe61 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat @@ -1,11 +1,9 @@ carol::cat /var/log/auth.log::extended authentication was successful::YES dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES -moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES +moon::ipsec leases rw 10.3.0.1::carol::YES +moon::ipsec leases rw 10.3.0.2::dave::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf index 747f4b6bf..aa0ae1289 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf @@ -21,4 +21,5 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + xauth_identity=carol auto=add diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets index d2bba2f4c..e5adf3e8e 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets @@ -6,4 +6,4 @@ carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21 carol@strongswan.org @sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5 -: XAUTH carol "4iChxLT3" +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf index 0193c0512..0243f5afb 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf @@ -21,4 +21,5 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + xauth_identity=dave auto=add diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets index 0690d9cde..25e8c2796 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets @@ -2,4 +2,4 @@ : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH dave "ryftzG4A" +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf index 98598b04c..4206f8916 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf @@ -13,17 +13,12 @@ conn %default keyingtries=1 authby=xauthpsk xauth=server + +conn rw left=PH_IP_MOON leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + rightsourceip=10.3.0.0/24 auto=add - -conn carol - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - -conn dave - rightid=dave@strongswan.org - rightsourceip=PH_IP_DAVE1 diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets index 1ea69f998..20d8e0269 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets @@ -2,6 +2,6 @@ @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH carol "4iChxLT3" +carol : XAUTH "4iChxLT3" -: XAUTH dave "ryftzG4A" +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat index 42fa8359b..42fa8359b 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat diff --git a/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat index 95a6be131..95a6be131 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat diff --git a/testing/tests/ikev1/xauth-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf index 75510b295..75510b295 100644 --- a/testing/tests/ikev1/xauth-psk-mode-config/test.conf +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf diff --git a/testing/tests/ikev1/xauth-id-psk/description.txt b/testing/tests/ikev1/xauth-id-psk/description.txt new file mode 100644 index 000000000..0ac2043c2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/description.txt @@ -0,0 +1,9 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. +The authentication is based on Pre-Shared Keys (<b>PSK</b>) +followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> +based on user names and passwords. +<p> +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client +<b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/xauth-id-psk/evaltest.dat b/testing/tests/ikev1/xauth-id-psk/evaltest.dat new file mode 100644 index 000000000..b019f8d76 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol::YES +moon::cat /var/log/auth.log::xauth user name is .*dave::YES +moon::cat /var/log/auth.log::extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..48015ad4c --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_CAROL + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + xauth_identity=carol + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..7a272a371 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..baa85e32c --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_DAVE + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + xauth_identity=dave + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..25e8c2796 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..c92ad8748 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + xauth=server + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..3f86fa594 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +carol : XAUTH "4iChxLT3" + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk/posttest.dat b/testing/tests/ikev1/xauth-id-psk/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-psk/pretest.dat b/testing/tests/ikev1/xauth-id-psk/pretest.dat new file mode 100644 index 000000000..95a6be131 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/pretest.dat @@ -0,0 +1,12 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-psk/test.conf b/testing/tests/ikev1/xauth-id-psk/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-rsa/description.txt b/testing/tests/ikev1/xauth-id-rsa/description.txt new file mode 100644 index 000000000..9483c8f39 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. +The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates +followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> +based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>, +respectively) and corresponding user passwords defined and stored in ipsec.secrets. +<p> +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client +<b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat new file mode 100644 index 000000000..b019f8d76 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol::YES +moon::cat /var/log/auth.log::xauth user name is .*dave::YES +moon::cat /var/log/auth.log::extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..32b1227bb --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + xauth_identity=carol + auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..29492b5f9 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..090deac77 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + xauth_identity=dave + auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..8cf7db530 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f79a81a6f --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + xauth=server + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..fef50218a --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol : XAUTH "4iChxLT3" + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa/posttest.dat b/testing/tests/ikev1/xauth-id-rsa/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-rsa/pretest.dat b/testing/tests/ikev1/xauth-id-rsa/pretest.dat new file mode 100644 index 000000000..78e2d57f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa/test.conf b/testing/tests/ikev1/xauth-id-rsa/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat index e1dc6b5b0..786043065 100644 --- a/testing/tests/ikev1/xauth-psk/evaltest.dat +++ b/testing/tests/ikev1/xauth-psk/evaltest.dat @@ -1,5 +1,7 @@ carol::cat /var/log/auth.log::extended authentication was successful::YES dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES +moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES moon::cat /var/log/auth.log::extended authentication was successful::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf index b5ec4c4af..684ace0d3 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf @@ -15,7 +15,9 @@ conn %default conn home left=PH_IP_CAROL + leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON + rightid=moon.strongswan.org rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets index 70ea1dab6..a899783bd 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf index a353e3f12..14307a7f0 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf @@ -15,7 +15,9 @@ conn %default conn home left=PH_IP_DAVE + leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON + rightid=moon.strongswan.org rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets index 0690d9cde..1c8506152 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets @@ -2,4 +2,4 @@ : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf index c92ad8748..a4e01b564 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default conn rw left=PH_IP_MOON + leftid=moon.strongswan.org leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets index 047d6c235..ae45ea03e 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets @@ -1,7 +1,7 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL +moon.strongswan.org %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets index 24506be09..13e6e0656 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" -: XAUTH carol "4iChxLT8" +carol@strongswan.org : XAUTH "4iChxLT8" diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets index a18e885f8..2586f5f39 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets index 48fd260c1..4a77c3b97 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets index 14f088501..1c0248b84 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA daveKey.pem -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets index 8d41919fc..1ba66971a 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets @@ -2,6 +2,6 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf index 47bf1dafc..1e21fbb97 100755 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control controlmore" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf index f79a81a6f..94cc6819d 100755 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control controlmore" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets index a18e885f8..2586f5f39 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa/description.txt b/testing/tests/ikev1/xauth-rsa/description.txt index 0cdaba1c5..a9b76b618 100644 --- a/testing/tests/ikev1/xauth-rsa/description.txt +++ b/testing/tests/ikev1/xauth-rsa/description.txt @@ -1,7 +1,9 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> -based on user names and passwords. +based on user names equal to the <b>IKEv1 identity</b> (<b>carol@strongswan.org</b> and +<b>dave@strongswan.org</b>, respectively) and corresponding user passwords defined and +stored in ipsec.secrets. <p> Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat index e1dc6b5b0..786043065 100644 --- a/testing/tests/ikev1/xauth-rsa/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat @@ -1,5 +1,7 @@ carol::cat /var/log/auth.log::extended authentication was successful::YES dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES +moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES moon::cat /var/log/auth.log::extended authentication was successful::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets index 48fd260c1..4a77c3b97 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets index 14f088501..1c0248b84 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA daveKey.pem -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf index ffbb13ec5..f79a81a6f 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control" + plutodebug=control crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets index 8d41919fc..1ba66971a 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets @@ -2,6 +2,6 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index 336227af7..fed4f5ece 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf index 336227af7..fed4f5ece 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index 336227af7..fed4f5ece 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf index 06304115b..53061a59b 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf index 06304115b..53061a59b 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf index 223ed67a3..f763e3ef1 100644 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf index bb4af2c75..cccd6ae27 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf index bb4af2c75..cccd6ae27 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf index 4890be7cc..eabe265ca 100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random } diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf index 4890be7cc..eabe265ca 100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf index 146c81f48..317e4ddc0 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf index 146c81f48..317e4ddc0 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf index 40c3c2418..ecfc51d44 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat index 86ef872c0..f7959d129 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_CCM_12_128::YES carol::ipsec statusall::AES_CCM_12_128::YES +carol::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon::ip xfrm state::aead rfc4309(ccm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat index 9805c654c..7434cc156 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_GCM_16_256::YES carol::ipsec statusall::AES_GCM_16_256::YES +carol::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon::ip xfrm state::aead rfc4106(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat index 534f6d452..9377d9fd2 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::NULL_AES_GMAC_256::YES carol::ipsec statusall::NULL_AES_GMAC_256::YES +carol::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon::ip xfrm state::aead rfc4543(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf index 4585d928a..379edeefc 100644 --- a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf index 626bec3ed..e907021ce 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown } libhydra { diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat index 332280acd..4a2add194 100644 --- a/testing/tests/ikev2/ip-pool-db/pretest.dat +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -1,9 +1,9 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_WINNETOU 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null dave::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf index 626bec3ed..e907021ce 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat index c2bd87c58..ba2b07a10 100644 --- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat @@ -16,6 +16,10 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES +venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES dave::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf index 70d66b20b..e44a3e251 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat index 17901fa15..83052889c 100644 --- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat @@ -13,4 +13,7 @@ moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 moon::conntrack -F moon::ipsec pool --del extpool 2> /dev/null moon::ipsec pool --del intpool 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat index fa7c122d9..e4eb8b0b9 100644 --- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat @@ -2,6 +2,10 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null +moon::ipsec pool --statusattr 2> /dev/null moon::ip route add 10.3.0.0/16 via PH_IP_MOON moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 alice::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf index 70d66b20b..e44a3e251 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 2435403a4..7b4ab49e4 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 2435403a4..7b4ab49e4 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf index f0e7da85e..2a18af887 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf index 908f85ac5..bbe0d3aa7 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf index 908f85ac5..bbe0d3aa7 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf index bb4af2c75..cccd6ae27 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem index efb939e3a..37ef9c665 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf @@ -13,12 +13,12 @@ m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB -AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr -Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup -Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg -pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL -rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S -uaJ2yDwEhOHn3ihb1bqlanM= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB +ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B +bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4 +hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk +WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy +02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF +yuVPkDSgPds6m0KQcEVnuaU= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem index 90e207c4b..0a435b90d 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- -MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx -MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz +OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH /QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq @@ -13,12 +13,12 @@ gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD -ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO -clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB -b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI -koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf -Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA -/szZoxwnE2iHtIoMAhfHZpRvOkg= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx +qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7 +MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD +Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16 +EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo +aeDWsllgAdqMA2fL7i9tsFHZVYk= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf index 79348686d..6d9e62e1d 100644 --- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { keep_alive = 1d - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-two-rw-mark/description.txt b/testing/tests/ikev2/nat-two-rw-mark/description.txt new file mode 100644 index 000000000..2a93d11d8 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/description.txt @@ -0,0 +1,16 @@ +The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up +tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. +Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT +after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively. +<p/> +In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, +<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using +the <b>mark</b> parameter in ipsec.conf. +<p/> +<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to +and from <b>alice</b> and <b>venus</b>, respectively. +<p/> +The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts +iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules +that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> +and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat new file mode 100644 index 000000000..74ba178d9 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat @@ -0,0 +1,16 @@ +alice::ipsec statusall::nat-t.*INSTALLED::YES +venus::ipsec statusall::nat-t.*INSTALLED::YES +sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES +sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES +sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES +sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES +bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..0f7c23845 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..ae4644c4b --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightid=alice@strongswan.org + mark=10/0xffffffff + also=sun + auto=add + +conn venus + rightid=@venus.strongswan.org + mark=20 #0xffffffff is used by default + also=sun + auto=add + +conn sun + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/mark_updown + right=%any + rightsubnet=0.0.0.0/0 diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..442233f32 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown @@ -0,0 +1,527 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK="-p esp" + fi + SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..c82c3e978 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat new file mode 100644 index 000000000..89d5f534b --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat @@ -0,0 +1,11 @@ +sun::iptables -t mangle -v -n -L PREROUTING +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +moon::conntrack -F +sun::conntrack -F +sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat new file mode 100644 index 000000000..105968f45 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat @@ -0,0 +1,21 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 2 +alice::ipsec up nat-t +venus::sleep 2 +venus::ipsec up nat-t +venus::sleep 2 diff --git a/testing/tests/ikev2/nat-two-rw-mark/test.conf b/testing/tests/ikev2/nat-two-rw-mark/test.conf new file mode 100644 index 000000000..ae3c190b8 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ike2/description.txt b/testing/tests/ikev2/nat-virtual-ip/description.txt index 31d24cda6..31d24cda6 100644 --- a/testing/tests/ike2/description.txt +++ b/testing/tests/ikev2/nat-virtual-ip/description.txt diff --git a/testing/tests/ike2/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat index 75d5ffbd3..75d5ffbd3 100644 --- a/testing/tests/ike2/evaltest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat diff --git a/testing/tests/ike2/hosts/bob/etc/hosts b/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts index ee854da09..ee854da09 100644 --- a/testing/tests/ike2/hosts/bob/etc/hosts +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts diff --git a/testing/tests/ike2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf index e43e0d785..e43e0d785 100755 --- a/testing/tests/ike2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf diff --git a/testing/tests/ike2/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown index aab1df687..aab1df687 100755 --- a/testing/tests/ike2/hosts/moon/etc/nat_updown +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cb3d46293 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown + multiple_authentication = no +} diff --git a/testing/tests/ike2/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf index 9cede8d56..9cede8d56 100755 --- a/testing/tests/ike2/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..cb3d46293 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown + multiple_authentication = no +} diff --git a/testing/tests/ike2/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat index b121de27d..ee30e2c59 100644 --- a/testing/tests/ike2/posttest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat @@ -3,3 +3,4 @@ sun::ipsec stop moon::/etc/init.d/iptables stop 2> /dev/null sun::/etc/init.d/iptables stop 2> /dev/null moon::conntrack -F +moon::rm /etc/nat_updown diff --git a/testing/tests/ike2/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat index abbca90d7..abbca90d7 100644 --- a/testing/tests/ike2/pretest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat diff --git a/testing/tests/ike2/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf index 1971a33ab..1971a33ab 100644 --- a/testing/tests/ike2/test.conf +++ b/testing/tests/ikev2/nat-virtual-ip/test.conf diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk-dscp/description.txt b/testing/tests/ikev2/net2net-psk-dscp/description.txt new file mode 100644 index 000000000..d4aefd5ce --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/description.txt @@ -0,0 +1,13 @@ +In order to support <b>Differentiated Services</b> (DiffServ), two parallel IPsec +connections between the subnets behind the gateways <b>moon</b> and <b>sun</b> are +set up. Using <b>XFRM marks</b> one IPsec SA is designated for <b>Best Effort</b> (BE) +traffic and the second SA for <b>Expedited Forwarding</b> (EF) traffic. +<p/> +The authentication is based on a <b>pre-shared key</b> (PSK). In order to guarantee that +the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is +bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat new file mode 100644 index 000000000..5881d9246 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat @@ -0,0 +1,8 @@ +moon::ipsec statusall::dscp-be.*ESTABLISHED::YES +moon::ipsec statusall::dscp-ef.*ESTABLISHED::YES +sun::ipsec statusall::dscp-be.*ESTABLISHED::YES +sun::ipsec statusall::dscp-ef.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d78d27c1a --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,38 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn dscp-be + leftid=@sun-be + rightid=@moon-be + mark=10 + also=net-net + auto=add + +conn dscp-ef + leftid=@sun-ef + rightid=@moon-ef + mark=20 + also=net-net + auto=add + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + leftauth=psk + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightauth=psk diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..9079b520b --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon-be @moon-ef @sun-be @sun-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5e8f49b17 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..9d2ef7471 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf @@ -0,0 +1,38 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn dscp-be + leftid=@moon-be + rightid=@sun-be + mark=10 + also=net-net + auto=add + +conn dscp-ef + leftid=@moon-ef + rightid=@sun-ef + mark=20 + also=net-net + auto=add + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftfirewall=yes + leftauth=psk + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightauth=psk diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..1d4ea790a --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@sun-be @sun-ef @moon-be @moon-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..5e8f49b17 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat new file mode 100644 index 000000000..d070c1443 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +alice::iptables -t mangle -F OUTPUT +venus::iptables -t mangle -F OUTPUT +bob::iptables -t mangle -F OUTPUT + diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat new file mode 100644 index 000000000..058c24f8f --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat @@ -0,0 +1,17 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE +venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF +moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 +moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 +bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-class BE +bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF +sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up dscp-be +moon::ipsec up dscp-ef diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf index 291f08db1..025e1c222 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf index 291f08db1..025e1c222 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-same-nets/description.txt b/testing/tests/ikev2/net2net-same-nets/description.txt new file mode 100644 index 000000000..d0eb3374f --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/description.txt @@ -0,0 +1,15 @@ +A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b> +and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b> +sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b> +sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are +done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets. +<p/> +Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic whereas on gateway <b>sun</b> the script indicated by +<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the +connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create +the necessary NETMAP operations and forward the tunneled traffic. +<p/> +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa. diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat new file mode 100644 index 000000000..bf99bb278 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES +bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..8f43a4f6e --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.0.0.0/14 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.4.0.0/14 + auto=add diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cb17a9e07 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..33e1e6656 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.4.0.0/14 + leftupdown=/etc/mark_updown + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.0.0.0/14 + mark_in=8 + mark_out=4 + auto=add diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..d7b68956c --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown @@ -0,0 +1,224 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# define NETMAP +SAME_NET=$PLUTO_PEER_CLIENT +IN_NET=$PLUTO_MY_CLIENT +OUT_NET="10.8.0.0/14" + +# define internal interface +INT_INTERFACE="eth1" + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK_IN="-p esp" + fi + SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# is there an outbound mark to be set? +if [ -n "$PLUTO_MARK_OUT" ] +then + SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK_IN + iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -d $IN_NET -j NETMAP --to $SAME_NET + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT + iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -s $SAME_NET -j NETMAP --to $OUT_NET + fi + if [ -n "$PLUTO_MARK_OUT" ] + then + iptables -t mangle -A PREROUTING $SET_MARK_OUT + iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -d $OUT_NET -j NETMAP --to $SAME_NET + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -s $SAME_NET -j NETMAP --to $IN_NET + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK_IN + iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -d $IN_NET -j NETMAP --to $SAME_NET + iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT + iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \ + -s $SAME_NET -j NETMAP --to $OUT_NET + fi + if [ -n "$PLUTO_MARK_OUT" ] + then + iptables -t mangle -D PREROUTING $SET_MARK_OUT + iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..cb17a9e07 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat new file mode 100644 index 000000000..e75e66650 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat @@ -0,0 +1,7 @@ +sun::iptables -t mangle -n -v -L PREROUTING +sun::iptables -t nat -n -v -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +sun::conntrack -F diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf new file mode 100644 index 000000000..1971a33ab --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index ee0e454da..6d762c970 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index ee0e454da..6d762c970 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index ee0e454da..6d762c970 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf index df11f5ea3..ccf446f79 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf index df11f5ea3..ccf446f79 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index eef03e3b4..5821bc12d 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index eef03e3b4..5821bc12d 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf index 6609a2115..fe067d344 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf index f0e7da85e..2a18af887 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf index 6fcf5999e..57bd6cceb 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf index a7f7b99ec..f21745bcd 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf index 6fcf5999e..57bd6cceb 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf index 6fcf5999e..57bd6cceb 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf index 8d2f57828..fd717317c 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf index 8d2f57828..fd717317c 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf index 2435403a4..7b4ab49e4 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf index f0e7da85e..2a18af887 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf index e4ef757fb..9f82ffa2f 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf index e4ef757fb..9f82ffa2f 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf index d77218b77..8250ae1ab 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown send_vendor_id = yes plugins { eap-radius { diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf index a7f7b99ec..f21745bcd 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt new file mode 100644 index 000000000..4c35081b1 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/description.txt @@ -0,0 +1,16 @@ +The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up +tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet, +gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 +and 10.3.0.20, respectively. +<p/> +In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, +<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using +the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf. +<p/> +<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to +and from <b>alice</b> and <b>venus</b>, respectively. +<p/> +The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts +iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules +that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b> +and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat new file mode 100644 index 000000000..c248a508a --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat @@ -0,0 +1,16 @@ +alice::ipsec statusall::home.*INSTALLED::YES +venus::ipsec statusall::home.*INSTALLED::YES +sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES +sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES +sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES +sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES +bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..5594bbf52 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables @@ -0,0 +1,77 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow ESP + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MOBIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..dd0240b07 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..5fa211c2a --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightid=alice@strongswan.org + mark_in=10/0xffffffff + mark_out=11/0xffffffff + also=sun + auto=add + +conn venus + rightid=@venus.strongswan.org + mark_in=20 #0xffffffff is used by default + mark_out=21 #0xffffffff is used by default + also=sun + auto=add + +conn sun + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/mark_updown + right=%any + rightsubnet=0.0.0.0/0 diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..442233f32 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown @@ -0,0 +1,527 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK="-p esp" + fi + SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..5594bbf52 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables @@ -0,0 +1,77 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow ESP + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MOBIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..4af93df8d --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat new file mode 100644 index 000000000..fae79271b --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat @@ -0,0 +1,12 @@ +sun::iptables -t mangle -v -n -L PREROUTING +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +sun::ip route del 10.1.0.0/16 via PH_IP_MOON +sun::conntrack -F +sun::rm /etc/mark_updown +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat new file mode 100644 index 000000000..3d9a5f340 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat @@ -0,0 +1,18 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +sun::ip route add 10.1.0.0/16 via PH_IP_MOON +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 2 +alice::ipsec up home +venus::sleep 2 +venus::ipsec up home +venus::sleep 2 diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf new file mode 100644 index 000000000..ae3c190b8 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 29132e757..393ea64f9 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf index 73d687a0c..014b5d935 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown install_routes=no } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt index b8efbe87e..f2b26fd7c 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt @@ -1,7 +1,7 @@ The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> -plugin based on the <b>OpenSSL</b> library for all cryptographical functions -whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical -plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate +functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for the Elliptic Curve Diffie-Hellman groups only. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt index 4f043e7d9..5b0241433 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt @@ -1,7 +1,7 @@ The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> -plugin based on the <b>OpenSSL</b> library for all cryptographical functions -whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical -plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate +functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> plugin for the Elliptic Curve Diffie-Hellman groups only. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf index 2247496db..63892fd33 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf index 2247496db..63892fd33 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt index 2c098d898..4f855eb1a 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt @@ -1,5 +1,5 @@ The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin -based on the <b>OpenSSL</b> library for all cryptographical functions. +based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b> diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf index 3562ddc67..a96b54446 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl + load = pem pkcs1 pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt index 0f721c52b..5185b5216 100644 --- a/testing/tests/openssl-ikev1/rw-cert/description.txt +++ b/testing/tests/openssl-ikev1/rw-cert/description.txt @@ -1,7 +1,7 @@ The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> -plugin based on the <b>OpenSSL</b> library for all cryptographical functions -whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical -plugins <b>aes des sha1 sha2 md5 gmp</b>. +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 +certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> +cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf index e4d41df39..1029b8536 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors pem pkcs1 x509 openssl random hmac curl + load = test-vectors pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 1531d9933..edc6dbed4 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors pem pkcs1 x509 openssl random hmac curl + load = test-vectors pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 6420b3414..e96dfe574 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 6420b3414..e96dfe574 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt index b8efbe87e..a1f31495d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt @@ -1,8 +1,8 @@ The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> -plugin based on the <b>OpenSSL</b> library for all cryptographical functions -whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical -plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for -the Elliptic Curve Diffie-Hellman groups only. +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 +certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> +cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> +plugin for the Elliptic Curve Diffie-Hellman groups only. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index f988d90b4..8dcf8e96f 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt index 4f043e7d9..84b6eb4bf 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt @@ -1,8 +1,8 @@ The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> -plugin based on the <b>OpenSSL</b> library for all cryptographical functions -whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical -plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for -the Elliptic Curve Diffie-Hellman groups only. +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 +certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> +cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> +plugin for the Elliptic Curve Diffie-Hellman groups only. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index f988d90b4..8dcf8e96f 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt index 2c098d898..4f855eb1a 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt @@ -1,5 +1,5 @@ The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin -based on the <b>OpenSSL</b> library for all cryptographical functions. +based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate functions. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b> diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt index 0f721c52b..b16faad06 100644 --- a/testing/tests/openssl-ikev2/rw-cert/description.txt +++ b/testing/tests/openssl-ikev2/rw-cert/description.txt @@ -1,7 +1,7 @@ The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> -plugin based on the <b>OpenSSL</b> library for all cryptographical functions -whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical -plugins <b>aes des sha1 sha2 md5 gmp</b>. +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate +functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b> and <b>x509</b>. <p> The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index a442b244d..206f029f3 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 6fcefc56a..208f1c36d 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index aa50403d8..3ae6205cb 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf index 7d8cda47e..d59e04ef3 100644 --- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf index 7d8cda47e..d59e04ef3 100644 --- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf index 7d8cda47e..d59e04ef3 100644 --- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* carol@strongswan.org */ 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..5b9beb3bb 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* dave@strongswan.org */ 3, X'64617665407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,13 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +85,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +105,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql index 8f5a5ece8..e0c5dfc37 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -77,13 +83,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -97,13 +109,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -117,7 +129,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'bigpool' + 'rw', 1, 4, 6, 'bigpool' ); INSERT INTO child_configs ( @@ -167,13 +179,13 @@ INSERT INTO pools ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030001', 7, 1211299013 , 1211299205 + 1, X'0a030001', 8, 1211299013 , 1211299205 ); INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030002', 8, 1211299031, 1211299187 + 1, X'0a030002', 9, 1211299031, 1211299187 ); INSERT INTO addresses ( @@ -203,11 +215,11 @@ INSERT INTO addresses ( INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 1, 7, 1211299013 , 1211299205 + 1, 8, 1211299013 , 1211299205 ); INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 2, 8, 1211299031, 1211299187 + 2, 9, 1211299031, 1211299187 ); diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* carol@strongswan.org */ 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..9739a7839 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* dave@strongswan.org */ 3, X'64617665407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql index 8e11c6a20..1ea0bd3ad 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -71,13 +77,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -91,13 +103,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -111,7 +123,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'bigpool' + 'rw', 1, 4, 6, 'bigpool' ); INSERT INTO child_configs ( @@ -161,13 +173,13 @@ INSERT INTO pools ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030001', 6, 1211299013 , 1211299205 + 1, X'0a030001', 7, 1211299013 , 1211299205 ); INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030002', 7, 1211299031, 1211299187 + 1, X'0a030002', 8, 1211299031, 1211299187 ); INSERT INTO addresses ( @@ -197,11 +209,11 @@ INSERT INTO addresses ( INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 1, 6, 1211299013 , 1211299205 + 1, 7, 1211299013 , 1211299205 ); INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 2, 7, 1211299031, 1211299187 + 2, 8, 1211299031, 1211299187 ); diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql index 5dc82a942..d2cd51deb 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql @@ -8,6 +8,12 @@ INSERT INTO identities ( INSERT INTO identities ( type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' ); @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf index aed370ffa..d5f50c361 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve } diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql index 329cac53b..eb58e9d9c 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql @@ -8,6 +8,12 @@ INSERT INTO identities ( INSERT INTO identities ( type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' ); @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf index aed370ffa..d5f50c361 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve } diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql index 82a9e43fe..0de63133e 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql @@ -8,6 +8,12 @@ INSERT INTO identities ( INSERT INTO identities ( type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' ); @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'bigpool' + 'rw', 1, 4, 6, 'bigpool' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* carol@strongswan.org */ 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..acc82b8d1 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -8,19 +8,24 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); +INSERT INTO identities ( + type, data ) VALUES ( /* dave@strongswan.org */ 3, X'64617665407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +64,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +90,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +110,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql index ac776f39d..3b0ea67d4 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -71,13 +77,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -91,13 +103,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -111,7 +123,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'pool0,pool1' + 'rw', 1, 4, 6, 'pool0,pool1' ); INSERT INTO child_configs ( @@ -167,7 +179,7 @@ INSERT INTO pools ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030001', 6, 1247817255, 1247817277 + 1, X'0a030001', 7, 1247817255, 1247817277 ); INSERT INTO addresses ( @@ -179,7 +191,7 @@ INSERT INTO addresses ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 2, X'0a030101', 7, 1247817257, 1247817278 + 2, X'0a030101', 8, 1247817257, 1247817278 ); INSERT INTO addresses ( @@ -191,14 +203,11 @@ INSERT INTO addresses ( INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 1, 6, 1247817255, 1247817277 + 1, 7, 1247817255, 1247817277 ); INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 3, 7, 1247817257, 1247817278 + 3, 8, 1247817257, 1247817278 ); - - - diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* carol@strongswan.org */ 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..9739a7839 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* dave@strongswan.org */ 3, X'64617665407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql index a062ac167..ae493ee64 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'pool0,pool1' + 'rw', 1, 4, 6, 'pool0,pool1' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index c4424bd89..54086643f 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -8,12 +8,18 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); @@ -26,7 +32,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 5 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 5 + 1, 6 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, mobike ) VALUES ( - 'net-net', 1, 3, 4, 0 + 'net-net', 1, 4, 5, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index d70481715..2bc8b34c8 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -8,12 +8,18 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); @@ -26,7 +32,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 5 + 2, 6 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 5 + 1, 6 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, mobike ) VALUES ( - 'net-net', 1, 4, 3, 0 + 'net-net', 1, 5, 4, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql index 983f1bf35..b1bf20943 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* carol@strongswan.org */ 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'home', 1, 3, 5 + 'home', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 49de2788e..bc951c1dd 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } libstrongswan { diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql index 9ccee6ce8..53168adff 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* dave@strongswan.org */ 3, X'64617665407374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'home', 1, 3, 5 + 'home', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 49de2788e..bc951c1dd 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } libstrongswan { diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql index b239402e4..1a3807b80 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'rw', 1, 3, 5 + 'rw', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 49de2788e..bc951c1dd 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } libstrongswan { diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql index d574e380a..8a4e5275b 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -8,12 +8,18 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* carol@strongswan.org */ 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); @@ -44,6 +50,12 @@ INSERT INTO certificate_identity ( 1, 2 ); +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + /* Shared Secrets */ INSERT INTO shared_secrets ( @@ -55,13 +67,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -75,7 +87,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, auth_method ) VALUES ( - 'home', 1, 3, 4, 3 + 'home', 1, 4, 5, 3 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index a5a7d2017..f17071c95 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 + load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 } diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql index 2cd45fbf0..58a42cf00 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -65,6 +71,12 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( 2, 3 ); @@ -85,13 +97,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Shared Secrets */ @@ -105,13 +117,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 7 ); /* Configurations */ @@ -125,7 +137,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, eap_type ) VALUES ( - 'rw-eap-aka', 1, 3, 5, 23 + 'rw-eap-aka', 1, 4, 6, 23 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index 52de80b19..d2558edf4 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 + load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql index bb6a9ec80..7d2d17bab 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql @@ -8,12 +8,18 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* carol@strongswan.org */ 3, X'6361726f6c407374726f6e677377616e2e6f7267' ); @@ -44,6 +50,12 @@ INSERT INTO certificate_identity ( 1, 2 ); +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + /* Shared Secrets */ INSERT INTO shared_secrets ( @@ -55,13 +67,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -75,7 +87,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, auth_method ) VALUES ( - 'home', 1, 3, 4, 2 + 'home', 1, 4, 5, 2 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql index 42082f400..53d84eec6 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql @@ -8,12 +8,18 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* dave@strongswan.org */ 3, X'64617665407374726f6e677377616e2e6f7267' ); @@ -44,6 +50,12 @@ INSERT INTO certificate_identity ( 1, 2 ); +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + /* Shared Secrets */ INSERT INTO shared_secrets ( @@ -55,13 +67,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 4 + 1, 5 ); @@ -76,7 +88,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, auth_method ) VALUES ( - 'home', 1, 3, 4, 2 + 'home', 1, 4, 5, 2 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql index 35598e97d..70f188453 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql @@ -8,19 +8,25 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); INSERT INTO identities ( type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data ) VALUES ( /* moon.strongswan.org */ 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -71,13 +77,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -91,13 +103,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Shared Secrets */ @@ -117,25 +129,25 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 7 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 2, 3 + 2, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 2, 7 + 2, 8 ); @@ -150,7 +162,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'rw', 1, 3, 5 + 'rw', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql index f5d06eaba..4f181b91b 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql index 2e9acf5f6..9a36c2c37 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql index ee7586925..9718a75bf 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql @@ -26,19 +26,19 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql index bf086ad42..8219bdfad 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql index cbd2ae2e0..7c9cd9fe4 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql index 545708e67..8a4eb2d21 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -26,19 +26,19 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } |