summaryrefslogtreecommitdiff
path: root/testing/tests/ikev1/net2net-psk-fail
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests/ikev1/net2net-psk-fail')
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/description.txt12
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/evaltest.dat14
-rw-r--r--[-rwxr-xr-x]testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf7
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets5
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf11
-rw-r--r--[-rwxr-xr-x]testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf7
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets2
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf11
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/posttest.dat2
-rw-r--r--testing/tests/ikev1/net2net-psk-fail/pretest.dat6
10 files changed, 33 insertions, 44 deletions
diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt
index 5a794bd17..688182be4 100644
--- a/testing/tests/ikev1/net2net-psk-fail/description.txt
+++ b/testing/tests/ikev1/net2net-psk-fail/description.txt
@@ -1,7 +1,5 @@
-An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and
-<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b>
-(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not
-match, so that the responder cannot decrypt ISAKMP message MI3. The resulting
-encrypted notification message cannot in turn be read by the initiator
-<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of
-PAYLOAD_MALFORMED messages is suppressed.
+A connection between the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b>
+uses a wrong PSK. This makes it impossible for gateway <b>sun</b> to decrypt the
+IKEv1 message correctly. Thus <b>sun</b> returns a <b>PAYLOAD-MALFORMED</b> error
+notify which in turn cannot be decrypted by <b>moon</b>.
diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
index 7f7cb9726..36ad061ac 100644
--- a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat
@@ -1,6 +1,8 @@
-moon::cat /var/log/auth.log::malformed payload in packet::YES
-sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES
-sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES
-moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO
-sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO
-
+sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed::YES
+sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES
+moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES
+moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
index ad0359f01..5917bab81 100755..100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf
@@ -1,21 +1,20 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev1
authby=secret
-
+ keyexchange=ikev1
+
conn net-net
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
leftid=@moon.strongswan.org
+ leftfirewall=yes
right=PH_IP_SUN
rightsubnet=10.2.0.0/16
rightid=@sun.strongswan.org
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
index be95c4d99..38ebf966c 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets
@@ -1,7 +1,4 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
-
-
-
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 453cdc07c..5db4358d6 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
index 9bbff9039..8fe02b10b 100755..100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf
@@ -1,21 +1,20 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
- plutodebug=control
- charonstart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
- keyexchange=ikev1
authby=secret
-
+ keyexchange=ikev1
+
conn net-net
left=PH_IP_SUN
leftsubnet=10.2.0.0/16
leftid=@sun.strongswan.org
+ leftfirewall=yes
right=PH_IP_MOON
rightsubnet=10.1.0.0/16
rightid=@moon.strongswan.org
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
index b53577e1d..be95c4d99 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets
@@ -1,6 +1,6 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
-@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil
+@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 453cdc07c..5db4358d6 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,11 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
-pluto {
- load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink
-}
-
-# pluto uses optimized DH exponent sizes (RFC 3526)
-
-libstrongswan {
- dh_exponent_ansi_x9_42 = no
+charon {
+ load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
index dff181797..5a9150bc8 100644
--- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat
@@ -1,2 +1,4 @@
moon::ipsec stop
sun::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+sun::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
index aa8e332e0..9e40684ab 100644
--- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat
+++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat
@@ -1,5 +1,7 @@
-moon::echo 1 > /proc/sys/net/ipv4/ip_forward
-sun::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::/etc/init.d/iptables start 2> /dev/null
+sun::/etc/init.d/iptables start 2> /dev/null
+moon::rm /etc/ipsec.d/cacerts/*
+sun::rm /etc/ipsec.d/cacerts/*
moon::ipsec start
sun::ipsec start
moon::sleep 2