diff options
| author | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-05-19 13:41:58 +0200 |
|---|---|---|
| committer | René Mayrhofer <rene@mayrhofer.eu.org> | 2011-05-19 13:41:58 +0200 |
| commit | b590992f735393c97489fce191e7810eaae4f6d7 (patch) | |
| tree | 286595c4aa43dbf3d616d816e5fade6ac364771a /testing | |
| parent | 2fce29055b7b5bc2860d503d1ae822931f80b7aa (diff) | |
| parent | 0a9d51a49042a68daa15b0c74a2b7f152f52606b (diff) | |
| download | vyos-strongswan-b590992f735393c97489fce191e7810eaae4f6d7.tar.gz vyos-strongswan-b590992f735393c97489fce191e7810eaae4f6d7.zip | |
Merge upstream version 4.5.2
Diffstat (limited to 'testing')
149 files changed, 1826 insertions, 138 deletions
diff --git a/testing/Makefile.in b/testing/Makefile.in index 6158a7358..67cdc194a 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -175,13 +175,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -<<<<<<< HEAD -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -======= -ipsecgroup = @ipsecgroup@ ->>>>>>> upstream/4.5.1 ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -202,6 +196,8 @@ nm_ca_dir = @nm_ca_dir@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ +pcsclite_CFLAGS = @pcsclite_CFLAGS@ +pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ @@ -220,14 +216,12 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ -<<<<<<< HEAD -======= soup_CFLAGS = @soup_CFLAGS@ soup_LIBS = @soup_LIBS@ ->>>>>>> upstream/4.5.1 srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ +systemdsystemunitdir = @systemdsystemunitdir@ target_alias = @target_alias@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ diff --git a/testing/do-tests.in b/testing/do-tests.in index 28a35eabd..2c5c07278 100755 --- a/testing/do-tests.in +++ b/testing/do-tests.in @@ -117,13 +117,7 @@ done KERNEL_VERSION=`basename $KERNEL .tar.bz2` IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2` -cat > $INDEX <<@EOF -<html> -<head> - <title>strongSwan UML Tests</title> -</head> -<body> - <h2>strongSwan UML Tests</h2> +ENVIRONMENT_HEADER=$(cat <<@EOF <table border="0" cellspacing="2"> <tr valign="top"> <td><b>Host:</b></td> @@ -148,9 +142,27 @@ cat > $INDEX <<@EOF <td > </td> </tr> @EOF +) -cat $INDEX > $TESTRESULTSHTML -cat >> $TESTRESULTSHTML <<@EOF +cat > $INDEX <<@EOF +<html> +<head> + <title>strongSwan UML Tests</title> +</head> +<body> + <h2>strongSwan UML Tests</h2> + $ENVIRONMENT_HEADER +@EOF + +cat > $TESTRESULTSHTML <<@EOF +<html> +<head> + <title>strongSwan UML Tests - All Tests</title> +</head> +<body> + <div><a href="index.html">strongSwan UML Tests</a> / All Tests</div> + <h2>All Tests</h2> + $ENVIRONMENT_HEADER <tr align="left"> <th>Number</th> <th>Test</th> @@ -213,6 +225,7 @@ do <title>strongSwan $SUBDIR Tests</title> </head> <body> + <div><a href="../index.html">strongSwan UML Tests</a> / $SUBDIR</div> <h2>strongSwan $SUBDIR Tests</h2> <table border="0" cellspacing="2"> <tr valign="top"> @@ -343,10 +356,7 @@ do # $DIR/scripts/load-testconfig $testname -<<<<<<< HEAD -======= unset RADIUSHOSTS ->>>>>>> upstream/4.5.1 source $TESTDIR/test.conf @@ -458,8 +468,9 @@ do <title>Test $testname</title> </head> <body> -<table border="0" width="600"> +<table border="0" cellpadding="0" cellspacing="0" width="600"> <tr><td> + <div><a href="../../index.html">strongSwan UML Tests</a> / <a href="../index.html">$SUBDIR</a> / $name</div> <h2>Test $testname</h2> <h3>Description</h3> @EOF @@ -579,9 +590,6 @@ do cat >> $TESTRESULTDIR/index.html <<@EOF </td></tr> - <tr><td align="right"> - <b><a href="../index.html">Back</a></b> - </td></tr> </table> </body> </html> @@ -673,7 +681,7 @@ do cat >> $TESTRESULTSHTML << @EOF <tr> <td>$testnumber</td> - <td><a href="$testname/">$testname</a></td> + <td><a href="$testname/index.html">$testname</a></td> <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td> <td> </td> </tr> @@ -681,7 +689,7 @@ do cat >> $SUBTESTSINDEX << @EOF <tr> <td>$testnumber</td> - <td><a href="$name/">$name</a></td> + <td><a href="$name/index.html">$name</a></td> <td><a href="$name/console.log"><font color="$COLOR">$STATUS</font></a></td> <td> </td> </tr> @@ -708,11 +716,16 @@ done # cat >> $TESTRESULTSHTML << @EOF + <tr> + <td> </td><td> </td><td> </td><td> </td> + </tr> + <tr> + <td><b>Passed:</b></td><td><b><font color="green">$passed_cnt</font></b></td><td> </td><td> </td> + </tr> + <tr> + <td><b>Failed:</b></td><td><b><font color="red">$failed_cnt</font></b></td><td> </td><td> </td> + </tr> </table> - <p> - <b>Passed: <font color="green">$passed_cnt</font></b><br> - <b>Failed: <font color="red">$failed_cnt</font></b><br> - <p> </body> </html> @EOF diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql index beb87e9d1..2917fc3fc 100644 --- a/testing/hosts/default/etc/ipsec.d/tables.sql +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -18,17 +18,11 @@ CREATE TABLE child_configs ( updown TEXT DEFAULT NULL, hostaccess INTEGER NOT NULL DEFAULT '0', mode INTEGER NOT NULL DEFAULT '2', -<<<<<<< HEAD - dpd_action INTEGER NOT NULL DEFAULT '0', - close_action INTEGER NOT NULL DEFAULT '0', - ipcomp INTEGER NOT NULL DEFAULT '0' -======= start_action INTEGER NOT NULL DEFAULT '0', dpd_action INTEGER NOT NULL DEFAULT '0', close_action INTEGER NOT NULL DEFAULT '0', ipcomp INTEGER NOT NULL DEFAULT '0', reqid INTEGER NOT NULL DEFAULT '0' ->>>>>>> upstream/4.5.1 ); DROP INDEX IF EXISTS child_configs_name; CREATE INDEX child_configs_name ON child_configs ( @@ -46,8 +40,6 @@ CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector child_cfg, traffic_selector ); -<<<<<<< HEAD -======= DROP TABLE IF EXISTS proposals; CREATE TABLE proposals ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -61,7 +53,6 @@ CREATE TABLE child_config_proposal ( prop INTEGER NOT NULL ); ->>>>>>> upstream/4.5.1 DROP TABLE IF EXISTS ike_configs; CREATE TABLE ike_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -71,8 +62,6 @@ CREATE TABLE ike_configs ( remote TEXT NOT NULL ); -<<<<<<< HEAD -======= DROP TABLE IF EXISTS ike_config_proposal; CREATE TABLE ike_config_proposal ( ike_cfg INTEGER NOT NULL, @@ -80,7 +69,6 @@ CREATE TABLE ike_config_proposal ( prop INTEGER NOT NULL ); ->>>>>>> upstream/4.5.1 DROP TABLE IF EXISTS peer_configs; CREATE TABLE peer_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -173,8 +161,6 @@ CREATE TABLE shared_secret_identity ( PRIMARY KEY (shared_secret, identity) ); -<<<<<<< HEAD -======= DROP TABLE IF EXISTS certificate_authorities; CREATE TABLE certificate_authorities ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -189,7 +175,6 @@ CREATE TABLE certificate_distribution_points ( uri TEXT NOT NULL ); ->>>>>>> upstream/4.5.1 DROP TABLE IF EXISTS pools; CREATE TABLE pools ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index 023b71750..182feab7d 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -182,6 +182,11 @@ then echo -n " --enable-eap-ttls" >> $INSTALLSHELL fi +if [ "$USE_EAP_PEAP" = "yes" ] +then + echo -n " --enable-eap-peap" >> $INSTALLSHELL +fi + if [ "$USE_EAP_TNC" = "yes" ] then echo -n " --enable-eap-tnc" >> $INSTALLSHELL @@ -307,6 +312,16 @@ then echo -n " --enable-ha" >> $INSTALLSHELL fi +if [ "$USE_AF_ALG" = "yes" ] +then + echo -n " --enable-af-alg" >> $INSTALLSHELL +fi + +if [ "$USE_WHITELIST" = "yes" ] +then + echo -n " --enable-whitelist" >> $INSTALLSHELL +fi + if [ "$USE_CISCO_QUIRKS" = "yes" ] then echo -n " --enable-cisco-quirks" >> $INSTALLSHELL diff --git a/testing/testing.conf b/testing/testing.conf index b078ab2c0..9b5609424 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.36.2.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.38.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` # Kernel configuration file -KERNELCONFIG=$UMLTESTDIR/.config-2.6.36 +KERNELCONFIG=$UMLTESTDIR/.config-2.6.38 # Bzipped uml patch for kernel -UMLPATCH=$UMLTESTDIR/ha-2.6.36.patch.bz2 +UMLPATCH=$UMLTESTDIR/ha-2.6.37.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.5.1.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.5.2.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -44,6 +44,7 @@ USE_EAP_IDENTITY="yes" USE_EAP_RADIUS="yes" USE_EAP_TLS="yes" USE_EAP_TTLS="yes" +USE_EAP_PEAP="yes" USE_EAP_TNC="yes" USE_TNC_IMC="yes" USE_TNC_IMV="yes" @@ -69,6 +70,8 @@ USE_CTR="yes" USE_CCM="yes" USE_GCM="yes" USE_HA="yes" +USE_AF_ALG="yes" +USE_WHITELIST="yes" USE_CISCO_QUIRKS="no" # Gentoo linux root filesystem diff --git a/testing/tests/af-alg-ikev1/alg-camellia/description.txt b/testing/tests/af-alg-ikev1/alg-camellia/description.txt new file mode 100644 index 000000000..a9633ee84 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite +<b>CAMELLIA_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and +<b>CAMELLIA_CBC_128 / HMAC_SHA2_256_128 </b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat new file mode 100644 index 000000000..93f82906e --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/evaltest.dat @@ -0,0 +1,11 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES +moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_128/HMAC_SHA2_256/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_128/HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(camellia)::YES +moon::ip xfrm state::enc cbc(camellia)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..cf51269a5 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=camellia128-sha256-modp2048! + esp=camellia128-sha256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..04c2358ed --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..5571dc086 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=camellia128-sha256-modp2048! + esp=camellia128-sha256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..04c2358ed --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/af-alg-ikev1/alg-camellia/test.conf b/testing/tests/af-alg-ikev1/alg-camellia/test.conf new file mode 100644 index 000000000..6abbb89a9 --- /dev/null +++ b/testing/tests/af-alg-ikev1/alg-camellia/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/af-alg-ikev1/rw-cert/description.txt b/testing/tests/af-alg-ikev1/rw-cert/description.txt new file mode 100644 index 000000000..d0c5e9200 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b> +of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric +encryption and hash functions whereas roadwarrior <b>dave</b> uses the default +<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat new file mode 100644 index 000000000..1a9b9159f --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::IPsec SA established::YES +carol::ipsec statusall::IPsec SA established::YES +dave::ipsec statusall::IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..80dae3719 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=3des-sha1-modp1536! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..fd687c13a --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..73167caad --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5cc54b24f --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors aes des sha1 sha2 md5 pem pkcs1 x509 gmp random hmac curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + integrity_test = yes + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f365b07da --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..fd687c13a --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors pem pkcs1 x509 af-alg gmp random curl kernel-netlink +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev1/rw-cert/posttest.dat b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/af-alg-ikev1/rw-cert/pretest.dat b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/af-alg-ikev1/rw-cert/test.conf b/testing/tests/af-alg-ikev1/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/af-alg-ikev1/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/af-alg-ikev2/alg-camellia/description.txt b/testing/tests/af-alg-ikev2/alg-camellia/description.txt new file mode 100644 index 000000000..b3515c333 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the IKE cipher suite <b>CAMELLIA_CBC_256 / +HMAC_SHA2_512_256 / MODP_2048</b> by defining <b>ike=camellia256-sha256-modp2048</b> as well as +the ESP cipher suite <b>CAMELLIA_CBC_192 / HMAC_SHA1_96</b> by defining <b>esp=camellia192-sha1</b> +in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat new file mode 100644 index 000000000..d77c4806e --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/evaltest.dat @@ -0,0 +1,11 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ipsec statusall::IKE proposal: CAMELLIA_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +carol::ipsec statusall::CAMELLIA_CBC_192/HMAC_SHA1_96::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ip xfrm state::enc cbc(camellia)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..37f8a7ecf --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..3cd390829 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f8d7e3fe9 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=camellia256-sha512-modp2048! + esp=camellia192-sha1! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3cd390829 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 af-alg gmp random x509 revocation stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat new file mode 100644 index 000000000..3c3df0196 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/af-alg-ikev2/alg-camellia/test.conf b/testing/tests/af-alg-ikev2/alg-camellia/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/af-alg-ikev2/alg-camellia/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/af-alg-ikev2/rw-cert/description.txt b/testing/tests/af-alg-ikev2/rw-cert/description.txt new file mode 100644 index 000000000..d0c5e9200 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>Crypto API</b> +of the Linux kernel via the <b>af_alg</b> userland interface for all symmetric +encryption and hash functions whereas roadwarrior <b>dave</b> uses the default +<b>strongSwan</b> cryptographical plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4a8baa3ae --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha1-modp1536! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1c71b885f --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..42f03aab3 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..e483eba9d --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + integrity_test = yes + crypto_test { + required = yes + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e84f2e6a --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1c71b885f --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors pem pkcs1 af-alg gmp random x509 revocation ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/af-alg-ikev2/rw-cert/posttest.dat b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/af-alg-ikev2/rw-cert/pretest.dat b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/af-alg-ikev2/rw-cert/test.conf b/testing/tests/af-alg-ikev2/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/af-alg-ikev2/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat index 7256743ac..3fb52f927 100644 --- a/testing/tests/ha/both-active/evaltest.dat +++ b/testing/tests/ha/both-active/evaltest.dat @@ -1,13 +1,13 @@ -moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES -alice::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES -alice::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES +alice::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES +alice::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES +moon::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES carol::ipsec statusall::home.*ESTABLISHED::YES dave::ipsec statusall::home.*ESTABLISHED::YES -alice::cat /var/log/daemon.log::HA segment 1 activated::YES moon::cat /var/log/daemon.log::HA segment 2 activated::YES -alice::cat /var/log/daemon.log::installed HA CHILD_SA::YES -moon::cat /var/log/daemon.log::handling HA CHILD_SA::YES +alice::cat /var/log/daemon.log::HA segment 1 activated::YES +moon::cat /var/log/daemon.log::installed HA CHILD_SA::YES +alice::cat /var/log/daemon.log::handling HA CHILD_SA::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index d9a514623..8bc2e8688 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -1,12 +1,7 @@ moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -<<<<<<< HEAD -moon::sleep 35::no output expected::NO -carol::iptables -D INPUT 1::no output expected::NO -======= carol::sleep 35::no output expected::NO carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO ->>>>>>> upstream/4.5.1 moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index 9818a6503..92681011f 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -10,8 +10,4 @@ carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -<<<<<<< HEAD -dave::sleep 1 -======= dave::sleep 2 ->>>>>>> upstream/4.5.1 diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index 983e0a47c..c0f166ff4 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -10,8 +10,4 @@ moon::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -<<<<<<< HEAD -dave::sleep 1 -======= dave::sleep 2 ->>>>>>> upstream/4.5.1 diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat index ed8f39316..f0c5bcec6 100644 --- a/testing/tests/ikev1/net2net-start/pretest.dat +++ b/testing/tests/ikev1/net2net-start/pretest.dat @@ -2,4 +2,4 @@ moon::/etc/init.d/iptables start 2> /dev/null sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start -alice::sleep 12 +alice::sleep 20 diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt index ed0fd3640..98d85f30b 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/description.txt +++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt @@ -2,8 +2,4 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates followed by extended authentication (<b>XAUTH</b>) based on user name and password. Because user <b>carol</b> presents a wrong -<<<<<<< HEAD -XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted. -======= XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted. ->>>>>>> upstream/4.5.1 diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt index 00ef6927c..a6fe82330 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt +++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt @@ -2,9 +2,5 @@ The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates followed by extended authentication (<b>XAUTH</b>) based on user name and password. Because user <b>carol</b> cannot find her -<<<<<<< HEAD -XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the -======= XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the ->>>>>>> upstream/4.5.1 ISAKMP SA is deleted. diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index d1c018dfa..47dab951f 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { -<<<<<<< HEAD - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default -======= load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default ->>>>>>> upstream/4.5.1 } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index f526e193d..8335e51f6 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,9 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { -<<<<<<< HEAD - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default -======= load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default ->>>>>>> upstream/4.5.1 } diff --git a/testing/tests/ikev2/rw-eap-peap-md5/description.txt b/testing/tests/ikev2/rw-eap-peap-md5/description.txt new file mode 100644 index 000000000..7f9ade88a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on <b>EAP-MD5</b> (phase2 of EAP-PEAP). +<p/> +With the setting <b>charon.plugins.eap-peap.phase2_piggyback = yes</b> the server <b>moon</b> +initiates phase2 of the EAP-PEAP protocol by piggybacking a tunneled EAP Identity request +right onto the TLS Finished message. Client <b>carol</b> presents the correct MD5 password +and succeeds whereas client <b>dave</b> chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat new file mode 100644 index 000000000..0908e1c97 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2f8b9dfda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3a29329d5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d5631a9f5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..129486c05 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftauth=eap-peap + leftfirewall=yes + rightauth=eap-peap + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..68d2cd95a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no + plugins { + eap-peap { + phase2_method = md5 + phase2_piggyback = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat new file mode 100644 index 000000000..369596177 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt b/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt new file mode 100644 index 000000000..ef2d24f2f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The strong mutual authentication is based on <b>EAP-PEAP</b> only (without a separate IKEv2 +authentication) with the gateway being authenticated by a server certificate during the +EAP-TLS tunnel setup (phase1 of EAP-PEAP). This tunnel protects the ensuing weak client +authentication based on <b>EAP-MSCHAPv2</b> (phase2 of EAP-PEAP). +<p/> +Client <b>carol</b> presents the correct MSCHAPv2 password and succeeds whereas client +<b>dave</b> chooses the wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat new file mode 100644 index 000000000..8743b9643 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2f8b9dfda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2cbfb2484 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3a29329d5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightsubnet=10.1.0.0/16 + rightsendcert=never + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d5631a9f5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2cbfb2484 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..129486c05 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftauth=eap-peap + leftfirewall=yes + rightauth=eap-peap + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..19d12447f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + multiple_authentication=no + plugins { + eap-peap { + phase2_method = mschapv2 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat new file mode 100644 index 000000000..369596177 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/description.txt b/testing/tests/ikev2/rw-eap-peap-radius/description.txt new file mode 100644 index 000000000..89db03a38 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then set up an <b>EAP-PEAP</b> tunnel each via <b>moon</b> to +the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate. +The strong EAP-PEAP tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>. +<b>carol</b> presents the correct MD5 password and succeeds whereas <b>dave</b> chooses the +wrong password and fails. diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat new file mode 100644 index 000000000..39a24f15e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat @@ -0,0 +1,21 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..df50901d5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,18 @@ +eap { + md5 { + } + default_eap_type = peap + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + peap { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b2eef5785 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3c8ea5c58 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d5631a9f5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "UgaM65Va" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..2c06d26a6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fc8f84638 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d2d3058d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat new file mode 100644 index 000000000..dbe56013a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat new file mode 100644 index 000000000..cbe1ae229 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -0,0 +1,11 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/radiusd start +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf new file mode 100644 index 000000000..e6a786a94 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice carol winnetou dave moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat index a02755148..f7d78d1ca 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat @@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config index a5a9a68f3..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config @@ -1,3 +1,4 @@ #IMC configuration file for strongSwan client -IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "Dummy" /usr/local/lib/libdummyimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config index a5a9a68f3..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config @@ -1,3 +1,4 @@ #IMC configuration file for strongSwan client -IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "Dummy" /usr/local/lib/libdummyimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..d00491fd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy new file mode 100644 index 000000000..d8215dd3c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/hostscannerimv.policy @@ -0,0 +1,40 @@ +#FTP - File Transfer Protocol +TCP 20 = whatever +TCP 21 = close + +#SSH - Secure Shell +TCP 22 = whatever + +#Telnet +TCP 23 = close + +#E-Mail +# +#SMTP - Simple Mail Transfer Protocol +TCP 25 = close +TCP 587 = close +#POP3 - Post Office Protocol version 3 +TCP 110 = close +TCP 995 = close + +#DNS - Domain Name System +UDP 53 = close +TCP 53 = close + +#BOOTP/DHCP - Bootstrap Protocol / +#Dynamic Host Configuration Protocol +UDP 67 = close +#UDP 68 = open +UDP 68 = whatever + +#www - World Wide Web +#HTTP - Hypertext Transfer Protocol +TCP 80 = close +#HTTPS - Hypertext Transfer Protocol Secure +TCP 443 = close + +#examples +TCP 8080 = close +TCP 5223 = whatever +UDP 4444 = close +UDP 631 = whatever diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..122d798b3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config index ac436a344..140caa98f 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config @@ -1,3 +1,4 @@ #IMV configuration file for strongSwan server -IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "Dummy" /usr/local/lib/libdummyimv.so +#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat index ce897d181..9896b1e4a 100644 --- a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat @@ -6,9 +6,9 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat index f1753c208..e3c482441 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat @@ -5,8 +5,10 @@ carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/3 dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'no access'::YES moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..573541ac9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +0 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat index bbc0603b6..c871bb6da 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat @@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..573541ac9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +0 diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat index 737c9b9ef..d334a9b97 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat @@ -6,9 +6,11 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..b1c694107 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMC] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMC] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..d00491fd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy new file mode 100644 index 000000000..d8215dd3c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/hostscannerimv.policy @@ -0,0 +1,40 @@ +#FTP - File Transfer Protocol +TCP 20 = whatever +TCP 21 = close + +#SSH - Secure Shell +TCP 22 = whatever + +#Telnet +TCP 23 = close + +#E-Mail +# +#SMTP - Simple Mail Transfer Protocol +TCP 25 = close +TCP 587 = close +#POP3 - Post Office Protocol version 3 +TCP 110 = close +TCP 995 = close + +#DNS - Domain Name System +UDP 53 = close +TCP 53 = close + +#BOOTP/DHCP - Bootstrap Protocol / +#Dynamic Host Configuration Protocol +UDP 67 = close +#UDP 68 = open +UDP 68 = whatever + +#www - World Wide Web +#HTTP - Hypertext Transfer Protocol +TCP 80 = close +#HTTPS - Hypertext Transfer Protocol Secure +TCP 443 = close + +#examples +TCP 8080 = close +TCP 5223 = whatever +UDP 4444 = close +UDP 631 = whatever diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..122d798b3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=--[IMV] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=--[IMV] %m%n diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config index 67896d543..140caa98f 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config @@ -1,4 +1,4 @@ #IMV configuration file for strongSwan server IMV "Dummy" /usr/local/lib/libdummyimv.so -IMV "HostScanner" /usr/local/lib/libhostscannerimv.so +#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat index ce897d181..1c8eebad5 100644 --- a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat @@ -6,9 +6,9 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start +moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat index 2c7a2dbd7..593ac4505 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat @@ -8,14 +8,16 @@ dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES -moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::final recommendation is 'allow' and evaluation is 'compliant'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES -moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES +moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES +moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config index 3797993fa..d2fabe109 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "Dummy" /usr/local/lib/libdummyimc.so -IMC "HostScanner" /usr/local/lib/libhostscannerimc.so +#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy new file mode 100644 index 000000000..d00491fd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc/dummyimv.policy @@ -0,0 +1 @@ +1 diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config index 67896d543..140caa98f 100644 --- a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config @@ -1,4 +1,4 @@ #IMV configuration file for strongSwan server IMV "Dummy" /usr/local/lib/libdummyimv.so -IMV "HostScanner" /usr/local/lib/libhostscannerimv.so +#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-whitelist/description.txt b/testing/tests/ikev2/rw-whitelist/description.txt new file mode 100644 index 000000000..6f52861e2 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/description.txt @@ -0,0 +1,3 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +<b>moon</b> uses whitelisting to grant access to <b>carol</b> with ID <b>carol@strongswan.org</b> +whereas since ID <b>dave@strongswan.org</b> is not listed, <b>dave</b> gets rejected. diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat new file mode 100644 index 000000000..733cfd844 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -0,0 +1,19 @@ +moon::cat /var/log/daemon.log::whitelist functionality was already enabled::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES +moon::cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES +dave::ipsec status::home.*INSTALLED::NO +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::NO +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::NO +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::NO +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::NO diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..0b4cded6c --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..938b45518 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown + plugins { + whitelist { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat new file mode 100644 index 000000000..1777f439f --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat new file mode 100644 index 000000000..c4ac77d77 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +moon::ipsec whitelist add alice@strongswan.org +moon::ipsec whitelist add bob@strongswan.org +moon::ipsec whitelist add carol@strongswan.org +moon::ipsec whitelist enable +moon::ipsec whitelist list +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/rw-whitelist/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index 4eca932ec..08b95659f 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,10 +2,7 @@ config setup crlcheckinterval=180 -<<<<<<< HEAD -======= uniqueids=no ->>>>>>> upstream/4.5.1 strictcrlpolicy=yes plutostart=no diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat index e17456f7a..f1e33dc39 100644 --- a/testing/tests/p2pnat/behind-same-nat/pretest.dat +++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat @@ -11,8 +11,4 @@ carol::sleep 1 alice::ipsec start alice::sleep 1 venus::ipsec start -<<<<<<< HEAD -venus::sleep 2 -======= venus::sleep 4 ->>>>>>> upstream/4.5.1 diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat index 8ce29fcd5..fba7be01d 100644 --- a/testing/tests/p2pnat/medsrv-psk/pretest.dat +++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat @@ -16,8 +16,4 @@ carol::sleep 1 bob::ipsec start bob::sleep 1 alice::ipsec start -<<<<<<< HEAD -alice::sleep 2 -======= alice::sleep 4 ->>>>>>> upstream/4.5.1 diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index 0deb68188..ef6849c11 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -109,15 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( -<<<<<<< HEAD - name, ike_cfg, local_id, remote_id, mobike -) VALUES ( - 'net-net', 1, 4, 5, 0 -======= name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( 'net-net', 1, 4, 5, 0, 0 ->>>>>>> upstream/4.5.1 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index 245dd9694..79a35ef68 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -109,15 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( -<<<<<<< HEAD - name, ike_cfg, local_id, remote_id, mobike -) VALUES ( - 'net-net', 1, 5, 4, 0 -======= name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( 'net-net', 1, 5, 4, 0, 0 ->>>>>>> upstream/4.5.1 ); INSERT INTO child_configs ( |