diff options
Diffstat (limited to 'testing/tests/ikev1/net2net-psk-fail')
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/description.txt | 12 | ||||
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/evaltest.dat | 14 | ||||
-rw-r--r--[-rwxr-xr-x] | testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf | 7 | ||||
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets | 5 | ||||
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf | 11 | ||||
-rw-r--r--[-rwxr-xr-x] | testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf | 7 | ||||
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets | 2 | ||||
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf | 11 | ||||
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/posttest.dat | 2 | ||||
-rw-r--r-- | testing/tests/ikev1/net2net-psk-fail/pretest.dat | 6 |
10 files changed, 33 insertions, 44 deletions
diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt index 5a794bd17..688182be4 100644 --- a/testing/tests/ikev1/net2net-psk-fail/description.txt +++ b/testing/tests/ikev1/net2net-psk-fail/description.txt @@ -1,7 +1,5 @@ -An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and -<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b> -(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not -match, so that the responder cannot decrypt ISAKMP message MI3. The resulting -encrypted notification message cannot in turn be read by the initiator -<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of -PAYLOAD_MALFORMED messages is suppressed. +A connection between the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b> +uses a wrong PSK. This makes it impossible for gateway <b>sun</b> to decrypt the +IKEv1 message correctly. Thus <b>sun</b> returns a <b>PAYLOAD-MALFORMED</b> error +notify which in turn cannot be decrypted by <b>moon</b>. diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat index 7f7cb9726..36ad061ac 100644 --- a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat @@ -1,6 +1,8 @@ -moon::cat /var/log/auth.log::malformed payload in packet::YES -sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES -sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES -moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO -sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO - +sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed::YES +sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES +moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES +moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf index ad0359f01..5917bab81 100755..100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -1,21 +1,20 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - keyexchange=ikev1 authby=secret - + keyexchange=ikev1 + conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org + leftfirewall=yes right=PH_IP_SUN rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets index be95c4d99..38ebf966c 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets @@ -1,7 +1,4 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf index 453cdc07c..5db4358d6 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -1,11 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown + multiple_authentication = no } diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf index 9bbff9039..8fe02b10b 100755..100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -1,21 +1,20 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - keyexchange=ikev1 authby=secret - + keyexchange=ikev1 + conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftid=@sun.strongswan.org + leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets index b53577e1d..be95c4d99 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets @@ -1,6 +1,6 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf index 453cdc07c..5db4358d6 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -1,11 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown + multiple_authentication = no } diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat index dff181797..5a9150bc8 100644 --- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat index aa8e332e0..9e40684ab 100644 --- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat @@ -1,5 +1,7 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start moon::sleep 2 |