11 files changed, 137 insertions, 0 deletions

diff --git a/testing/tests/botan/net2net-pkcs12/description.txt b/testing/tests/botan/net2net-pkcs12/description.txt
new file mode 100644
index 000000000..1d40e30f0
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in
+<b>PKCS12</b> format.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/botan/net2net-pkcs12/evaltest.dat b/testing/tests/botan/net2net-pkcs12/evaltest.dat
new file mode 100644
index 000000000..bfc7e76f1
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/evaltest.dat
@@ -0,0 +1,5 @@
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
new file mode 100644
index 000000000..365da741f
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/pkcs12/moonCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..b11cf0f3e
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.1
+      remote_addrs = 192.168.0.2
+
+      local {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.1.0.0/16
+            remote_ts = 10.2.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   pkcs12-moon {
+      file = moonCert.p12
+      secret = "kUqd8O7mzbjXNJKQ"
+   }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..1d9a7c08b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = pem nonce revocation botan x509 curl vici kernel-netlink socket-default updown
+  multiple_authentication = no
+}
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12 b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
new file mode 100644
index 000000000..e2cd2f21d
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 000000000..28c0e87a4
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,36 @@
+connections {
+
+   gw-gw {
+      local_addrs  = 192.168.0.2
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         id = sun.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+      }
+      children {
+         net-net {
+            local_ts  = 10.2.0.0/16
+            remote_ts = 10.1.0.0/16
+
+            updown = /usr/local/libexec/ipsec/_updown iptables
+            esp_proposals = aes128gcm128-modp3072
+         }
+      }
+      version = 2
+      mobike = no
+      proposals = aes128-sha256-modp3072
+   }
+}
+
+secrets {
+
+   pkcs12-sun {
+      file = sunCert.p12
+      secret = "IxjQVCF3JGI+MoPi"
+   }
+}
diff --git a/testing/tests/botan/net2net-pkcs12/posttest.dat b/testing/tests/botan/net2net-pkcs12/posttest.dat
new file mode 100644
index 000000000..9802f442d
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/posttest.dat
@@ -0,0 +1,6 @@
+moon::systemctl stop strongswan-swanctl
+sun::systemctl stop strongswan-swanctl
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs12/moonCert.p12
+sun::rm /etc/swanctl/pkcs12/sunCert.p12
diff --git a/testing/tests/botan/net2net-pkcs12/pretest.dat b/testing/tests/botan/net2net-pkcs12/pretest.dat
new file mode 100644
index 000000000..22ffcf949
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/pretest.dat
@@ -0,0 +1,9 @@
+moon::cd /etc/swanctl; rm rsa/moonKey.pem x509/moonCert.pem x509ca/strongswanCert.pem
+sun::cd /etc/swanctl; rm rsa/sunKey.pem x509/sunCert.pem x509ca/strongswanCert.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::systemctl start strongswan-swanctl
+sun::systemctl start strongswan-swanctl
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/botan/net2net-pkcs12/test.conf b/testing/tests/botan/net2net-pkcs12/test.conf
new file mode 100644
index 000000000..87abc763b
--- /dev/null
+++ b/testing/tests/botan/net2net-pkcs12/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1