diff options
Diffstat (limited to 'testing/tests/ikev1')
1130 files changed, 3650 insertions, 12876 deletions
diff --git a/testing/tests/ikev1/after-2038-certs/description.txt b/testing/tests/ikev1/after-2038-certs/description.txt deleted file mode 100644 index fb622dc15..000000000 --- a/testing/tests/ikev1/after-2038-certs/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. -The authentication is based on <b>X.509 certificates</b> that are valid until -the year 2039 and are issued by a certification authority with a root ca -certificate valid until the year 2059. On 32-bit platforms, dates after -Jan 19 03:14:07 UTC 2038 cannot by represented by the time_t data type. -Thus if a time wrap-around occurs during ASN.1 to time_t conversions, -dates contained in the certificates are set to the maximum value, -i.e. to Jan 19 03:14:07 UTC 2038. - -Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> -automatically inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, <b>carol</b> ping the client <b>alice</b> -behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/after-2038-certs/evaltest.dat b/testing/tests/ikev1/after-2038-certs/evaltest.dat deleted file mode 100644 index 790811a61..000000000 --- a/testing/tests/ikev1/after-2038-certs/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 03b57243b..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,55 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv -bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw -NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w -HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA -A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4 -4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd -2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr -ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY -dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk -sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d -kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33 -YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh -qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ -HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro -UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe -xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O -Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f -/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC -Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V -Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/ -9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V -9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9 -ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT -XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh -e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL -99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T -AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A -YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw -CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV -c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD -ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f -hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57 -71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr -/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO -lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj -8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2 -RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA -Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm -xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s -PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld -6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd -c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/ -MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T -vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg -RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL -uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv -inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs -CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR -8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8 -9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea -cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H -d/Fp6btmZH31IEyJrRNVOpCwZPI= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 2ce2ce3c9..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIINzCCBB+gAwIBAgIBATANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN -b25zdGVyIENBMB4XDTA5MDMyODE0MDYwOFoXDTM5MDMyMTE0MDYwOFowWTELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v -bnN0ZXIxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIICIjANBgkqhkiG -9w0BAQEFAAOCAg8AMIICCgKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgR -yGVG6HVoA3DU/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mp -dYtP53SWASOHBiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkw -BebpMLCf2Mi1robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bO -FPoBoBOY7v4fuq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DW -kk1vTt4jplSg6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5 -mGabckTMvtI591UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014l -cFg11mzjXGGBFuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest -2X0psHe3AlocUFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9C -uezkuM1QEvkev5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+ -t8GhCKV6B7RTzFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3Hh -fTZstGECAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1Ud -DgQWBBTy8LU5yQdnV8pfwhCPY7q/CiNyzjB4BgNVHSMEcTBvgBQZYq2Wq8b7148Q -xFb/QGMiQnB2DqFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0 -cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gTW9uc3RlciBDQYIJAIORWNru -S4GuMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMEEGA1UdHwQ6MDgw -NqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi1tb25z -dGVyLmNybDANBgkqhkiG9w0BAQ0FAAOCBAEAi39l78OCI9S0I3X62HbkxiLguvnc -CbXY6Tqmz0Ms8xqZgYzJOk7FLB/4v/zJohOH5nd7KxJ81KbcERyASpybaLM0/V+V -oGT0rDGGH5cS4H2uYfs9HsKFKKPbZeCnExFyCamXjBZkl5IZNjdpS9TLyXRJSyFN -OIRNhILPSriqdtzgRuGOeX798U8o0ObizGQRVlT0p0lI4t64dzZbIh3jSXjCf1Tz -cmVOC8qhhGvxLlorSy5K98t2zNY7DvzwtvoQrNFGtso1kvfmaO4XRCvSZsmqPpC5 -mmWJjNEG2qcbmfpt8TotyUHgEJTZXwXlPVVb5OXHTW6jXk/MN0UiMTLJYcvJ1gji -kSnGNHzRH2rKlYRED+jlzzHAWSv0mBGcOTdmfBV6+TJ7QhWhLZBzAUfwqXpAy9Vk -idtyB0eSWBTIvhZY6SzB0Rvkdj0FtZ+tNURT4dPtiO0D+LXm/ojpdKKI2tFNOgwY -n8df2u3xnCRvHqcF6lvu+ptnwUkUDDGDuiM20+sm0HHhLIj51v8tTm3Q/MzI0BAb -G4HOSQNDzymWDgzIE67UTxBwXVDbSLkzH1vhFXtZQlD1UHqOUT/4FQm5ZlVMF8na -FKxHakqoh1CdI8TAmM64h3hp1zp+G9Zn0lfcHRhvWBvpU8mgF1cbEvgbzjd9+xLe -q45/8xuZPnU7XIBvDcZTUk8LRIThcTxQRlQdI1UJnvPOBYG3mUrLs2UdEZGwsooG -zMOj3EQwqrR67rQiuGo65IMPDix4mwHjcZ8Gr4eqLDwSUS5yoPX1qI2qNLQbI1Ni -8PEYMXQ0Xm+9Z86ZkI0dAIBWLkEGkz5Ngqk4O3JLzF1O/XPG4E9hGJ8WsHQW6pk9 -+quv5nVNCAO0z6FYfQoYprdbDBur+N/no+BYIcSFSpLcNgafLXgj3I65iJ2VmRi0 -V0xAfxcRiQN2+/7aao2zLrrSPHU8YsW48ISw9ibQ9EckZMVtnhuYpBJuX8+auZ8f -OgBmgRi7fCtEcMlXsiisQehymMs470eDRfWFUMzgJC8tMOQIWNdYM0Bo29wYUJPN -jD+NO0n+PisFMilBEyoT2pD1i94+5DWQau/7STb3GbpBsLb7JbIrQEp0oSdsvsNR -SaJQEqMxepJM0OGp3FMr79s+/a13+TMm+jl65M6sV/YTDdYFlplkWyHDjbL+WjUu -lvDEURfBJrtT7u673RakCEzl5e53fP01HXFhqgMSloR7j2XNiyCeEUBp+zetXxwb -8e6IKtbXWU+WcXIdNOHAL+OtD1vUK3gxupJPrRNW6daZKWUDbjRixzXnjeyIw8It -bRldc5VjyM0G4FMbmIROgRcvjJ74MUwnHpgPl9zQ28HmbxKbANiJJZHIDw== ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index f0836ec33..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKQIBAAKCAgEAqYq89COSvnLQplrjtSrDyvqvJqXN7mfmgfgRyGVG6HVoA3DU -/vJPo8xHT43eTIBkT9wxernYxGw7UZwG6iiY3Me7Q82f+2TmX8mpdYtP53SWASOH -BiLk7d3yJJjCY2GGP8Vb0avJa8GEOy9ZHTOf5HWwMDt9EQKxOzkwBebpMLCf2Mi1 -robNUj/lEgE+3AGfikF39E3JaXhna3mm+7PwO5J5udpxC/rVa+bOFPoBoBOY7v4f -uq0CV5x5q/bXn9oVWteF/U1fnnOf5Dhe3P057oj7kARsmGk8e0DWkk1vTt4jplSg -6jhH7izy4OhiqWkR7QV/BMOQBqBd6bw9Ojk12LFZBQulM0Lmtou5mGabckTMvtI5 -91UCGNqGMcVDsxFIX2ZMvfScMahS6pUq+hjiR95mwez2Z1Sg014lcFg11mzjXGGB -FuTCl3smJqRT7UaI6JfjNz1f6p/7z8QhjKChVA/xnJ5yoJWNPest2X0psHe3Aloc -UFRxqnD2ZmNO6IuKN5bmN0O4Lfc50rl2hPATXdh0HC8HvcYbRK9CuezkuM1QEvke -v5SFbzgivXb1A2hdRCc1/XRND7Pm9sCjjh3tn5otCMnalc1mk5v+t8GhCKV6B7RT -zFqu+ry0pe6OlqqzU0yNdqYFK1hoCDXUQzEMJzmI9mIw+n6EE3HhfTZstGECAwEA -AQKCAgAmHcjpYm4FXy7Fl72F531pTv69w50OslFCexEUaqCMdojR7TYVs0hwXObT -XePSczMaOTjujIXNcz/K0zdCwanMSSMy1THYhRC+DEqK4K0wLifjTad3m7S4PaPI -0ocxbKWQBMDl3KdGEJW38KcqR4b1B/h6f4VYo7BQzkSbrxRSHANz63vdJvVWPoMz -jxAgykSiAqIDTNGxYp5trUX7ZLLn0cCIJjIwLU56GcPPN33SDVXetUdQ4sCaDdXU -8YP8rj0K1VWMYy7SItCZsIqzSEMT+7wC3tvDUDWGyEb1UW9q3cpKBNDAl7KkO3rH -UbeMutCK5ydtXMIumzNB704cnuwZ08sdM7BTTMhmu0VK+zjVzhBK+MFcF7pickD3 -SdNzOiqfgiXLGjsiMFJvJ7OUJczEJl2xIoZ+Otb113ep0An0PEuF6aZMaKPNP7xf -ljnengym1Rq+f1mHBRRfool9zmeisnQSSecKo0htm6oRkQTcTwLj0TjiCugbmISf -D7sUXWp/QFVdYhHTay1gWUnP1quflKYvEynd0UF0JOnCbpWAczdXf27fm7DVjgLp -yZ4QyrCtyvtIITgmZOvkAcaflxe2E+cBN2F+hWGzqMJfoMtw008hRW9DcRji35Kn -lCOj/87n8lL3dicDI0caBZO9tQIakh05XYW8xN+sYF9K/xKauQKCAQEA2txDchqB -7719R6hBqdNqig2+telNHlN0amPKjqIvP7Tr/JnJx8A7cSasao1Fw0cGPReBT7Tb -Z5IW7xvWiZYFMDI8q8ZGEIb+MveYs1gHlEaimMtwoVCNeNe3cEPIL7ffNT8y+xFc -o55AjzgKAOHqmf6OidKqRs/B1sSmOrgugsY8KvYtA/JrieVHKrjNX5XqZNqrfsns -K4DMcJvIrfBu9iyWenNoBOdEJsP0h3F39Zh2hkEg29eH+/8x6FGlezvSU89Jjs9O -/2BdlyS82RbhPu2VIrsmpfoSrsFHRe8t/9yrnpY3ud6w2LP9QIEMd8FpWKGnNxJp -AIZJ6u+NoWVlLwKCAQEAxk/7RSSvf6VJvi1gmOxKd79LkYUEiyZryP/M8kQFMqs5 -pU6BgFLVLZsaXz+1oYS0bEjVGGo5ppCVVUMN6RuFX9zVz9uVZBeiiItqw64UDbt/ -0u78m9ngvSpWaMQU2nS/kHVhKOY+Gfs0v5fBvZE+wxTfMBR+nbx7uJivpXnq6xMP -fhDz6juap/lEK6HuvQN5xXBNL4wpd099lvy3NUuG0Dohb/+gWf3YzQtjs281iMZB -G3/gGLcBSdk6PBwXueJ3NPj9FAII73MQNBNYS3zi3IYuulA/rMcvbA+IGeKTzRX5 -E47B8ZAhJxZ3OePalvZyVEaRHDFT+Y2YCv/G9Bw7bwKCAQBs97oE97m2Gcxkfxui -aIblEY7gl7Yz4S1XQzQ46/tGZtgQPqm+cLGn1q+Fpa0UWyp6BFf3zX5oBM6yYlPg -0PboVjrq858y32N1EN3QfYXYh4qxNKlxR+AISK8mkDj9uTjDFCJX6v8K3+IY7Lfe -VJ0v6xQg/uiUtSA3xFVXaxiNOBIA+ezTyEFOuP9EABsQ+l1ntZApYnPZ/RjNAGNc -Zxd4Lh8F/KvPtS2zd2Eqho5Jk41/rrGjg55LE3ZPy0bvIovH+q8PEZytfddbR4lX -NRMU98mHL1NA1E+0/rpz0XA/sikonnZEbuHyIzt2gEoq3fuLi4Dr5JivEC2BcaA8 -uXU1AoIBAQDDxUdfXbTmxQxEctVuga2OA0mdkXwHxlkXZvcyntWmzIOu3g5X2O3c -BMcHCoTKu4/Faiz72jmpZggV0IlV+zYyiXaFqNcUpYRtWXx/SkU/vT6VxBmZ3X/Q -HpCJAjE365MFD+tnjcv2qBfNoAnBkzYrLVqbQ1AvdVeJxyl2qSGxCPL9V80DCe5G -LnwOuuBMtbaro45/BtYUk2N+/2H5eeLPguNphigNTtyMpta412s458Z0WEuo+liK -R6kGmBEQDzHxGG/2JYAeqi9vyT0b4GCwpMJSaVBCx6vX+Ik6TIPuLOfjV8W8K7We -ub3fZ0FuUEJTUgqEk2m77P0Qtqn4aDp/AoIBAQDXI66F4POHVOPI/j584sSLhW6X -j5VzFlmOhpyoourPYXsKyIFrLa/gYAe/wNH/5jg3Ap5DbBVZB87gOkaMz2oV+ZQ/ -5IWiFmiUxGrCXmWyI6Eqr2DUtSKispLnQ043bFN+HlhfQYTwD9ijqpwpUt/sC+IJ -mLIGJs5B3cdcRQuSxh1HpvSJOuItjp0wfcGj3+RPh5cPdjHZW30FHGFomOk//6BO -nWdoYUGrN9wXylDOHvlkYaP2Uj5rCWm51ZGaxzJR9S+WkHdNBzyygpGtEXdSAIzU -tHufKwQdDnj22w8KSCvQ+KvwUn9UrIR5LyGKiYGWved9X2EQzIFC4dJ8h30G ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem deleted file mode 100644 index 03b57243b..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem +++ /dev/null @@ -1,55 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIJ0DCCBbigAwIBAgIJAIORWNruS4GuMA0GCSqGSIb3DQEBDQUAMEgxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJv -bmdTd2FuIE1vbnN0ZXIgQ0EwIBcNMDkwMzI4MDgwMDUzWhgPMjA1OTAzMTYwODAw -NTNaMEgxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4w -HAYDVQQDExVzdHJvbmdTd2FuIE1vbnN0ZXIgQ0EwggQiMA0GCSqGSIb3DQEBAQUA -A4IEDwAwggQKAoIEAQDL3Cy8fYlD/Lqc6vXnWakywyvB7rouV7CIdxZMGHz/6zO4 -4sZaeqWy4Fmp6zPuLI8RtxsIyrZAJzqnTDNRb6FhosdluTy/QL2N+M2U0fKeRjAd -2IInFOabqSSheB8Np53xK28oZ3xe75vbpSRiqGItmqZHioFPpNV+gRv2NC2NSUqr -ta9aRo35m2ZyQuav4+oOYalayApZWr44w8qQJRILvFo6jc7x5bE+LgFNRfe15/MY -dyrabatILkOucP61VE7QqftLj465w1GG3kzyt4PsX5FKkSkhs3wMnQKLJyvxUIlk -sC7m/NzABRAEAfLAODJJ9indUCVjcLDC81avQPoHOSD736hkYpWRnlrgvu14q+5d -kBRvyCQu+SoBPj0oMtEEdaPk7aBGjXDvKkeJAZYEcOP8h9oKUQjwYUQhQ7Np0f33 -YBaQSCv/6kfl+260XXMWQrQd4iDY17x5H8wA6mncTQ01JHIJy5pixXt09dPmWaAh -qZWaDbkSLslO05zai45QpTFQ2Qtw3d6w5BY3u2bREB7HnyFfZF8n43pvsInNv5pQ -HLVHN5/TP/YVwbZj4UXXgAjkL/4t6DGELk62VkrxB1dQDopimFRmaGctAGWbo8ro -UVpGDXnSHCn9SPmEqeetK1fJHcCeQskVFakIB3qdRJM+rsWcOFA4c40D6uKyvLHe -xZbqaOjpL2r9vfuzMtbUMUinZNBqVf7dCkxY02gdi1HpTB5p1VBSRbXdaC1Zow4O -Rn2Ekd6/lr5G45S8ljr7EeGnAUKFOoyU8F6dYmvgwBTgNwQsGa+MbWkuaaxuIq0f -/e3J3PYkdQ+7tNXPsqoDXcOtc0ZPlBRwDx9Js+qh86e5HKh85DzBjjl97giv/3PC -Ek6imgHhx0QsulWUfGzls+sd3SXf8azBFt6Jh7lUJQafNH++fLZvryGYa2gjEn4V -Cwr8PTaWLm5TwgHlyJTH8Zkk7yEVZvzJfs6UC8tEaYitmAb8e9cYTztA0e4gPeY/ -9UTyb0XAnol368DGKi5T5L1x1NVHkPc5zVXcGUvUFpEd4q4aJWj9xUyskt13fl8V -9BOKc1BJZUdCkxRSt1wF4tlcFs9EVbOoYOT2+KJiaWB59ke+O7HUxnjFzNfPFLO9 -ItgNHhahXrhX22e//B9QhzQ5O29UhXpX0y624DK/e/bj96c6ve5NqDIcZdOyVduT -XiEyfUpP0ZjvwRbS42A1VYs34ELBt5ntUhRvgivXAbBnC19pv/WFurMzaxueQgjh -e/TUX1FWXh8zq5qPvASxkupdo5GOrcjn6a8zTmRPS6V8jVLQmUHMsCsyFcVUECsL -99wet1nlFAloL59Z6Cjj3LkyLpeIG/o4ItGEdw5bAgMBAAGjgbowgbcwDwYDVR0T -AQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYDVR0OBBYEFBlirZarxvvXjxDEVv9A -YyJCcHYOMHgGA1UdIwRxMG+AFBlirZarxvvXjxDEVv9AYyJCcHYOoUykSjBIMQsw -CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMV -c3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5Lga4wDQYJKoZIhvcNAQENBQAD -ggQBAHcfJo343EP+u0T1DTa3oJbYtqON1F7UdkJcOUxRhp4HFlPEOFxSnHU5Qi2f -hzxWZTQEKI2q62AXdyHDygI44dCpSFZNPcZHdwBl26maMHubv7JXFl7TWupvki57 -71ttz+0wc5iU38g3ktVkrcjzUiqKU2BXnvIuLteOHfnSMGR+JG0v94nYl60EEtZr -/Ru0Orcq93mrQyih4MZMrcssNBI+2HSFmjITBSGAz9G81d/kojtCEsmY37dqpkqO -lOo57HLTUzuMHW1W+c7wCLAl2rhy0xIJ/t5XpNBvPzc7xKZex01A7kKIcUV5vlvj -8+NTuMF4NAZjgtODj0Z3kKsxaIlq0O1+SfubdnHE9pNZPXWm4SSW8w1C+n1+MAA2 -RpK7T1T7BiOQD2fSKsCPvocefiWFOUuHkyRPG5vE0Ob5XH5qT5R3xTq1ta1cpxsA -Rq0s4QHYePZ+gU/7edI7LvZtueOGL4BeR1TSIcbij5+LfFlIjz9ETp3cWc5rxjsm -xBGeHyCslH2EKuufzg5czqmnTdwC4zGNVUyn8c5YUVpOxEZOpnrrGpR7xCHG6n0s -PFpXRuSp6JHSDVCFkJLLrIH0MNmXirgsNLQEOX3WBPeK2hj9X3kzV+iRd5YXqBld -6x1Jnx66iNhJyKHDXfZ84PIZzxaKrDrR35PK3DsZUATx0l56uBWAY3n1Zl5ZrWkd -c66yvP8/WXqO1IctddURFn1ohkkbCVd8ke45ZQoyHIb+cC2gTU53aYNNAZDHh/C/ -MrU7+d5yH29dLjtv+J3JrDwdtBLMZa4RcIOZxhk7MhheNW3K+Q5xpKrdsqourQ2T -vBwEmrfiLHRb+Hk8UbPpDW5m3yaXYmn8bQinkD1BP2ru/f6r4Rj+aAtNvz8ofgAg -RcUcD+jeIDAEWnFCKtHxtp+fLYm5npnwfyCyOID2Lr3K1Z7SpqzoYYq9bfc3AdtL -uHr9RSjdfsuG0l44xESwC2+Pp6rHwvAIPfPgcZiOX1GObytxXexWYCy9g/DKmUVv -inTJNjHpH48ffPmCBE2LoylgBv/dSmf6hQSf5lqsKQ3tKApJv8t0oO6jqyvn+aqs -CTi4WALKhZn9YRKRzcwzYVav1g0fHkrwRQxv8TRM0tYWZ5V01qgumxD3L/37vqDR -8bx9KvgiF3DbP2q8IbVuVMLwjU6xPH+5sWJCS0Cx2haW1oVw7ppd9sgAkj/wxzt8 -9jl/bx3rD3YwoobFvqry0Rhe4J1LidAAKX+E69c4GwoTIe3eqL/TYkis7YIFLjea -cm2lumjrrFcnbZLvDK5S/+kfZ2Flt2QoUznNeTTNY1nAnJSgqOgOocvyYDA9vx6H -d/Fp6btmZH31IEyJrRNVOpCwZPI= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem deleted file mode 100644 index e83798c07..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem +++ /dev/null @@ -1,46 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIINTCCBB2gAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBIMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBN -b25zdGVyIENBMB4XDTA5MDMyODE0MDcxNloXDTM5MDMyMTE0MDcxNlowWDELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB01v -bnN0ZXIxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggIiMA0GCSqGSIb3 -DQEBAQUAA4ICDwAwggIKAoICAQC/9647SgAcK/or/Qs/3cRc19po7oex5EBdPR7b -vInAuzrVMK84+ifneBWscVhBnxcUI37D0SpKx0onrdskMOyv5nmkdcgQf8931eip -scNsw8bC8MJsbc5Jfn3DKPurbKK2/uFFE8ot7S65HY9tVBsxKsrjS5YFPE+DKKP+ -BgVk/9hL0Kqq2iKuWTq8YTRMu5iskpLIxqvuz362G46BKoW52pFegeDzpz/Bs/7y -0oWPRcNcuRQR5XFTpF2L3UosniMkr7aYU5Z8s7IqiEx7txGh5SxRB+TYIZwB1ODa -L+bnclQeMsBiFqlO9UI38UaxEQgk/+UhgpaX/DPrZg8KJmjW3e+x8xcwL3ouRLy2 -2Z99WMnV6TlwpTKj24EQJALmLG+UJG+hbV9P9j6Mkql3FHb4aLZH71CvyCqeg2yh -FGiuaGEe8vS9+Dj5LKv8hSbBe/MSQDiPhKT1gb84TiQMsWfxLN7oDXunohnhMZfu -sydB/c/R/ooA5ri+lE5c65bP2Mk+ml61p6z7lJv+DXBDXW/o4v8Imjx2OMsL85LZ -vYWJppdJrThd/m4OVnCXYfuHMZqedsIvNR5blnldATLBjWWbeoKhOyqZb8hZ6HFR -dlJ11LhxnGg9itG385L3Espl+EVcakWBZWrOn5/LGNKZH3UedclEBNci6lSadZaP -/UfRCwIDAQABo4IBGDCCARQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0O -BBYEFOQpYirU7vrMZUWDkqDijTPuhPQiMHgGA1UdIwRxMG+AFBlirZarxvvXjxDE -Vv9AYyJCcHYOoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ry -b25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBNb25zdGVyIENBggkAg5FY2u5L -ga4wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzBBBgNVHR8EOjA4MDag -NKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4tbW9uc3Rl -ci5jcmwwDQYJKoZIhvcNAQENBQADggQBAAEsjsebEspAIANEBVWRjRpowIJlVSLf -WKzblIPlhClXafHGJbhiamdtS2FmEh/rkzz3Ml+9cJy1KnB1Pn6+4JLSJe5xAywK -lKTT2iY0KDdOsaK5j+CNJ2tW9NrJPxwtIz+nGGqqyyEUPJE1FYxphbLgmwFNBm2o -HyeUVYI+gyfmhyHaXHKOmbsDG0o+pUX2tVOs0KdyU6deaAtEf1E6aA5TpCAi1OZs -pdRDXFUfjdekRkfRr1PZ41Xwk3t6E32YhIE++r7QneQPhXymxVO9nepmpuSoHvlX -Hb4JN2EQ0zCkkkOfqCuF46zVxsR46/3cfKbRsaVmdfGjvmDSCDI47AreluYiPTGA -zN4XN91Y5rPZuT9OJYV4UrYv9N1jH5StVmSz19rbYOeozJXX0PBjdCKHEonD1FHY -xWRpijVUG6NWVLKpvdg3RiFw78wIrNPAeVDvLL+112nbszNDNLSoOJjOUBySHJda -WYFtg2IoAUis9r/o7uykNcC6KiU4Y1nC8PEIhMi4AMA9UgBCn4ixYtHI9jkfHcrD -O1kvPRUo3hKzrhftLYtfiBfTEh+3Xab615lt5vNNhdI7d4knqUXvVdURtvlfJLZv -W0YdvwjJtrVJAiCtX3wyxy72O1ZOG5kHCcK5oHUHg5W172rK9hK4LByk5ESqtc/t -YDG7TmZLtUceV5yK4gz7pwIwXthA8yayRy+lbk8BFxRMfOEfb6rPdm0vvmPpHHDu -yHR5SJTgpGo+/I8N1zS6PNeUBh0RAbSnxHJSMLn+GYTs8s6Atnq05SIuVYxvXyAQ -ULf+ppNN5lngSZHPaOFJNpC1QL1+DdMNueDITVxYx5DV8SkWRPhzS77tsYeUxVGI -IpUVEqSggGe6Q4YWv2smAjSeqaS5HNGxstE+Ybat/cp9QMbLc7gwKxwRQHhVRZ5O -0rVq2bZUyly8y4wX8G8WFMNuCoAcHAdMvKh4JtmdDDZlbxdC2mSVbLSuTBfGvKc1 -ScwOBtSqQkm9PsTMitZM31s97WJLQIZbq82g2ns7hfEXMMIgzcFLYlM1SovbDZI5 -ZM63NBVTaKyj+Gxy8FcAPBPtPWwAQT+Gdi8gFwtcEilTOBECL5y0hzlL9aJpsJEq -4KV5nnM5rutUufiYzQMZqME3g9VWk0kQteVpa4x+4zsKH9lJSSS/y0eCo/jArS8l -HSmzUDkj2cWmf/azdrcig7g/mHeEbKu1JH1X5lRdZekqcRCW6v1OjP025B/5nSnL -WYPUI9RLb01fmPjWdrc4+hPnHjePp8w6tuM6U6huMCwstnOel6d2FL5hOWvXNmIH -I+8zv7SHhIWQmUbC0YQn8BFqvqDC08In5x42YiTe+42YEtafkTkbY8o= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 6d39ac084..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,51 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIJKAIBAAKCAgEAv/euO0oAHCv6K/0LP93EXNfaaO6HseRAXT0e27yJwLs61TCv -OPon53gVrHFYQZ8XFCN+w9EqSsdKJ63bJDDsr+Z5pHXIEH/Pd9XoqbHDbMPGwvDC -bG3OSX59wyj7q2yitv7hRRPKLe0uuR2PbVQbMSrK40uWBTxPgyij/gYFZP/YS9Cq -qtoirlk6vGE0TLuYrJKSyMar7s9+thuOgSqFudqRXoHg86c/wbP+8tKFj0XDXLkU -EeVxU6Rdi91KLJ4jJK+2mFOWfLOyKohMe7cRoeUsUQfk2CGcAdTg2i/m53JUHjLA -YhapTvVCN/FGsREIJP/lIYKWl/wz62YPCiZo1t3vsfMXMC96LkS8ttmffVjJ1ek5 -cKUyo9uBECQC5ixvlCRvoW1fT/Y+jJKpdxR2+Gi2R+9Qr8gqnoNsoRRormhhHvL0 -vfg4+Syr/IUmwXvzEkA4j4Sk9YG/OE4kDLFn8Sze6A17p6IZ4TGX7rMnQf3P0f6K -AOa4vpROXOuWz9jJPppetaes+5Sb/g1wQ11v6OL/CJo8djjLC/OS2b2FiaaXSa04 -Xf5uDlZwl2H7hzGannbCLzUeW5Z5XQEywY1lm3qCoTsqmW/IWehxUXZSddS4cZxo -PYrRt/OS9xLKZfhFXGpFgWVqzp+fyxjSmR91HnXJRATXIupUmnWWj/1H0QsCAwEA -AQKCAgAn3928CQH+2A+uBXDJwlngYyHF/A4JoHzSITkAsaf3dayhzewHrMaPKP1v -hVeswcv8becN66uaPs0jctR7LwJrAzevNpvo+XNx0+fxH7CVLhFiOrpX5XMdBv4+ -hIvKLtWZp1XJkHPFmGfFIePB9N91FgtwrSmrSrzFZLKzuDJ0qUQXc2+P76GWj4hI -yvQfIDR1XDjLJaFfCJCsaQrvv5JpaYIanGXKlqoCpU3GyH3fpcEPyI3nrb4dfp3D -yKJ4pBxuqWUHPQ2cN4NBnHAunnc2JrFO35HkZw7Nvpc6GwsedjwMzcPyW/ytHvqz -PhXN/9iuPs0sacC4LzXlppxnIlVSOCoLUpyoe8zXxDJBLsU7d+zDnXZ/1guviHz+ -x4RsEKjlXcvsvnZGAy0pUzOEXIfmWOOSlA7iqkbPNud9nBS4YnOtiZIowLj6893k -rN1GQ/jw7szBkNh5vjdZT7HAIhlBwyQI3hRJX/h0hdUPNiPW4/j9W94JWcRxk0tO -vZq7mcTtJ8OFlsNyO12KgFIjT+Gwz7tmNrN+Of98pOt9jRN7hhxY8sQosmW1nePZ -HuWR52CVShXX/N2d/09hwf48xjYBjF3Mjxc8ySIyERdcWqsWx3j5WaB8rEAAuMcF -/gY5bb4Oc1MAUtX8aMidvKfVW0Owapj/ApgyOmGbO6YEQCKSIQKCAQEA6hbs2JoD -8u9sCaabRKNxqnjzXzB7JrR1PKyOjp3Iiku29W1VQ/TMRUpO63LsE3lbv/3RIvi1 -wZN/dFhWC9wOY85iDUci5ZI0QcZA0OIQ/uetrE5/FBOmH9MVIQEXnGHSNPHUWMqk -EBrykyt+7RMEb7Kldm0V57MesO1FA0y81+UCJP01KZM0D7Nq1Eb6GfNLENah3Fk2 -wHk6g36O1nMAEyjHvS+ht8C0rzNXIqCnkeAuxxAfJde9TYpuW7oCt1JEeh2VAmOO -7QESq2x0OrPKLCUs00y5k0I9eqvAaQfCC6EcdiX7FyAfX5n5Vf5FbfbWhf9oheno -CQ0uai4v1uqX2wKCAQEA0e91hlukBO2InB9j+54R3XA0buCr/eQFqJ4sAjgL9GCk -n09tfytH/nLPw/g/l7snyVmGW3uZfmkOqnTP9Yfbx1dU0pPRN11qM9QG6YH+Odkv -D+LpRnYRjj7QxQJQbGy+2IZN8cmtpJQziSmQMNZU/YoDpq7wYNVhwnP0Z3ZgUo3d -GfRPbGw951dOAK0Z6S61+mXSQE9JhZBo49zOrmkgLa1fmLfJoukmz4MTZqoWFffq -+1Q4vdYgRS8ToT2Rmba+7s4UAmVKyACEw8WEyjH3TXxd6tQy/smzcD0Vgg7Ghvg7 -Vs5ion9HcqDEcQ1YWvMDWPD/x4fyVgu4v2QW/k/KkQKCAQBPb04ZxlG2u1YfBEFG -DmyA26BCWfJAVRY/a5LIhHRLsZu5NsurTsOOc8PKE+pWRWVEBj5Urq8GrCWg9mTk -i1z6s0sElHIcEvvWog7WkxAPX9DIWq62wmAqBnfyBivb7jnlq3ZSVxlLOcm89RKS -IlTsDmQlhqjbQiYVBb7Yes7OODD9GktS+1e8SDblJ9ywt6VuZlbwrfltYPXhLy4L -SWTqG3mEEki/UQ4/MZ3M61VRpBBbjnXzYn0jdekzCTDowmroQWeSMvSKKkYKk7fx -P5dIWakXXr7OYLj6CpQ1T+OiDJ7a3NKSq1zaFSbN7oXi5dMwD1aJsrEBeU6Zy2iC -doLnAoIBAQCzC716J7JNmaCHNqZ5NKkb6NRvNCK72LuSwcPa6J4ZgEsmrAFBElLG -inj0NEdYSwB102qpn1Kb41HkwteSGpqw+qSXLAalZ4BqT4zNnlaKU9a1f9tggtYa -MSywuXaJ4n0qAfF8I3t7AAKsGsylOkcmLY1LnavZimNkCq0JiIZCIkfOGPWcDP0G -zwjxvrB4laQSuMCGpJiZ1z3+CJYlXfdZvaHoh+bqkFrPZIUpbCqF9fls/Lmf/n1r -Q+lD/VSuepOA7DVYjbcnuHmC1nSYVeELLuSSoQQVFUV6lj4/vAZJmnBRapfo6xCu -jLq9iJowh031jyU2sZVXGYwpf12066xhAoIBADCtIvqwfy9pcqYs8PQMQTbDuz3G -ZCe3E5SLJ00gk/PBVJihOYvdKgwoZAyWdWxOPDKzBJAaJBgpmpWKeX3k92HgLxyi -50zKogbCc49mz2c6kRC13SviPAjO1XuM+FKo50AICenauu21/ZeMYuLt9gxnhEo5 -kkIYhD0irfTw5MMEKITAs71iB74Lxm9gv/+jOwsgoP23k562NHnIvPdbDzbR/ROD -xb/3DsGbB4kmUXoLlWxradiZGczPddki+bMI4meMs8oH+XP14KyGqWC8LSuBDg8Y -fADibXSIAHobiN+KhDtWz9Wnhtch9C8Q5+JDjixdspcn4lkMdMK532v/FBM= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/after-2038-certs/posttest.dat b/testing/tests/ikev1/after-2038-certs/posttest.dat deleted file mode 100644 index 94a400606..000000000 --- a/testing/tests/ikev1/after-2038-certs/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/after-2038-certs/pretest.dat b/testing/tests/ikev1/after-2038-certs/pretest.dat deleted file mode 100644 index 4921d5097..000000000 --- a/testing/tests/ikev1/after-2038-certs/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -carol::ipsec start -carol::sleep 1 -carol::ipsec up home diff --git a/testing/tests/ikev1/after-2038-certs/test.conf b/testing/tests/ikev1/after-2038-certs/test.conf deleted file mode 100644 index 9cd583b16..000000000 --- a/testing/tests/ikev1/after-2038-certs/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/alg-3des-md5/description.txt b/testing/tests/ikev1/alg-3des-md5/description.txt new file mode 100644 index 000000000..4c39d0b04 --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>3DES_CBC / HMAC_MD5_96</b> by defining <b>esp=3des-md5-modp1024!</b> +in ipsec.conf. The same cipher suite is used for IKE. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-3des-md5/evaltest.dat b/testing/tests/ikev1/alg-3des-md5/evaltest.dat new file mode 100644 index 000000000..abd29e97e --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/evaltest.dat @@ -0,0 +1,15 @@ +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES +moon:: ip xfrm state::enc cbc(des3_ede)::YES +carol::ip xfrm state::enc cbc(des3_ede)::YES +moon:: ip xfrm state::auth-trunc hmac(md5)::YES +carol::ip xfrm state::auth-trunc hmac(md5)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..11874bbe4 --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + ike=3des-md5-modp1024! + esp=3des-md5-modp1024! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf index 0b9f891bd..41fb1f7db 100755..100644 --- a/testing/tests/ikev1/crl-to-cache/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - cachecrls=yes - charonstart=no conn %default ikelifetime=60m @@ -12,11 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + ike=3des-md5-modp1024! + esp=3des-md5-modp1024! + +conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org - -conn rw leftsubnet=10.1.0.0/16 right=%any auto=add diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-3des-md5/posttest.dat b/testing/tests/ikev1/alg-3des-md5/posttest.dat new file mode 100644 index 000000000..046d4cfdc --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/alg-3des-md5/pretest.dat b/testing/tests/ikev1/alg-3des-md5/pretest.dat new file mode 100644 index 000000000..4fc25772b --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/alg-3des-md5/test.conf b/testing/tests/ikev1/alg-3des-md5/test.conf new file mode 100644 index 000000000..4a5fc470f --- /dev/null +++ b/testing/tests/ikev1/alg-3des-md5/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt index 7b14287f7..24b50b909 100644 --- a/testing/tests/ikev1/alg-blowfish/description.txt +++ b/testing/tests/ikev1/alg-blowfish/description.txt @@ -1,4 +1,6 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and -<b>BLOWFISH_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b> using <b>Blowfish</b> for both IKE and ESP +encryption. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat index 4ea613d3d..cd83c56b4 100644 --- a/testing/tests/ikev1/alg-blowfish/evaltest.dat +++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat @@ -1,11 +1,17 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES -moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES -moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_512::YES -carol::ip xfrm state::enc cbc(blowfish)::YES -moon::ip xfrm state::enc cbc(blowfish)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES +dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_384_192,::YES +dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA2_256_128,::YES +carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES +dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 192::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES + diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf index 57394c27a..db409be43 100755..100644 --- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=blowfish256-sha2_512-modp4096! - esp=blowfish256-sha2_512! + ike=blowfish256-sha512-modp2048! + esp=blowfish192-sha384! conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org + leftfirewall=yes right=PH_IP_MOON - rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf index 4dbdc67b3..1f0fd41a8 100644 --- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -1,11 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { +charon { dh_exponent_ansi_x9_42 = no + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf index 726998e19..fd3343c1a 100755..100644 --- a/testing/tests/ikev1/mode-config/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,18 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + ike=blowfish128-sha256-modp1536! + esp=blowfish128-sha256! conn home left=PH_IP_DAVE - leftsourceip=%modeconfig leftcert=daveCert.pem leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON - rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 auto=add - - - - diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1f0fd41a8 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + dh_exponent_ansi_x9_42 = no + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf index 427c5d180..f3c84ece8 100755..100644 --- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=blowfish256-sha2_512-modp4096! - esp=blowfish256-sha2_512! + ike=blowfish256-sha512-modp2048,blowfish128-sha256-modp1536! + esp=blowfish192-sha384,blowfish128-sha256! conn rw left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftfirewall=yes right=%any - rightid=carol@strongswan.org auto=add diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf index 4dbdc67b3..1f0fd41a8 100644 --- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -1,11 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des blowfish hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { +charon { dh_exponent_ansi_x9_42 = no + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/alg-blowfish/posttest.dat b/testing/tests/ikev1/alg-blowfish/posttest.dat index c6d6235f9..1865a1c60 100644 --- a/testing/tests/ikev1/alg-blowfish/posttest.dat +++ b/testing/tests/ikev1/alg-blowfish/posttest.dat @@ -1,2 +1,6 @@ moon::ipsec stop carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/alg-blowfish/pretest.dat b/testing/tests/ikev1/alg-blowfish/pretest.dat index 5e1e80e1d..8bbea1412 100644 --- a/testing/tests/ikev1/alg-blowfish/pretest.dat +++ b/testing/tests/ikev1/alg-blowfish/pretest.dat @@ -1,6 +1,9 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start -carol::sleep 2 -carol::ipsec up home +carol::ipsec start +dave::ipsec start carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/alg-blowfish/test.conf b/testing/tests/ikev1/alg-blowfish/test.conf index 6abbb89a9..f29298850 100644 --- a/testing/tests/ikev1/alg-blowfish/test.conf +++ b/testing/tests/ikev1/alg-blowfish/test.conf @@ -1,22 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" - +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat index 0f71ba5f5..8230ee30c 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat +++ b/testing/tests/ikev1/alg-modp-subgroup/evaltest.dat @@ -1,11 +1,15 @@ -moon::cat /var/log/auth.log::MODP_2048_224.*refused due to strict flag::YES -moon::ipsec statusall::IPsec SA established::YES -carol::ipsec statusall::IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1024_160::YES -dave::ipsec statusall::IPsec SA established::YES -dave::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048_256::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf index 944524020..15b6ec831 100755..100644 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf index a9de84e91..b3f765477 100755..100644 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf index 424f78bb4..192df5abd 100755..100644 --- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/posttest.dat +++ b/testing/tests/ikev1/alg-modp-subgroup/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat index 42e9d7c24..8bbea1412 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/pretest.dat +++ b/testing/tests/ikev1/alg-modp-subgroup/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev1/alg-modp-subgroup/test.conf b/testing/tests/ikev1/alg-modp-subgroup/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev1/alg-modp-subgroup/test.conf +++ b/testing/tests/ikev1/alg-modp-subgroup/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/alg-sha256-96/description.txt b/testing/tests/ikev1/alg-sha256-96/description.txt deleted file mode 100644 index c5ab23e51..000000000 --- a/testing/tests/ikev1/alg-sha256-96/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_CBC_128 / HMAC_SHA2_256_96</b> with 96 bit instead of the standard 128 bit -truncation, allowing compatibility with Linux kernels older than 2.6.33 -by defining <b>esp=aes128-sha256_96!</b> in ipsec.conf. -A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha256-96/evaltest.dat b/testing/tests/ikev1/alg-sha256-96/evaltest.dat deleted file mode 100644 index 6e8715b1f..000000000 --- a/testing/tests/ikev1/alg-sha256-96/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES -moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES -moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES -carol::ip xfrm state::auth hmac(sha256)::YES -moon::ip xfrm state::auth hmac(sha256)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES - diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 2d6f87b17..000000000 --- a/testing/tests/ikev1/alg-sha256-96/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-modp2048! - esp=aes128-sha256_96! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf deleted file mode 100755 index b2a686db0..000000000 --- a/testing/tests/ikev1/alg-sha256-96/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha256-modp2048! - esp=aes128-sha256_96! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-sha256-96/pretest.dat b/testing/tests/ikev1/alg-sha256-96/pretest.dat deleted file mode 100644 index 7d077c126..000000000 --- a/testing/tests/ikev1/alg-sha256-96/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha256-96/test.conf b/testing/tests/ikev1/alg-sha256-96/test.conf deleted file mode 100644 index 6abbb89a9..000000000 --- a/testing/tests/ikev1/alg-sha256-96/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt index 628101921..826a8f10b 100644 --- a/testing/tests/ikev1/alg-sha256/description.txt +++ b/testing/tests/ikev1/alg-sha256/description.txt @@ -1,4 +1,4 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite -<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_2048</b> for the IKE protocol and -<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b> +in ipsec.conf. The same cipher suite is used for IKE. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat index 00fcb8862..eba856742 100644 --- a/testing/tests/ikev1/alg-sha256/evaltest.dat +++ b/testing/tests/ikev1/alg-sha256/evaltest.dat @@ -1,12 +1,13 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES -moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_2048::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES -moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES -carol::ip xfrm state::auth hmac(sha256)::YES -moon::ip xfrm state::auth hmac(sha256)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES +moon:: ip xfrm state::auth-trunc hmac(sha256)::YES +carol::ip xfrm state::auth-trunc hmac(sha256)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES - diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf index 66476b83e..73e25710b 100755..100644 --- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,14 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes128-sha256-modp2048! - esp=aes128-sha256! + esp=aes128-sha256-modp2048! conn home left=PH_IP_CAROL + leftfirewall=yes leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - auto=add + auto=add diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf index 2b97ff4f3..0a6f48e69 100755..100644 --- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,13 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes128-sha256-modp2048! - esp=aes128-sha256! + esp=aes128-sha256-modp2048! conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 right=%any - rightid=carol@strongswan.org auto=add diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha256/posttest.dat b/testing/tests/ikev1/alg-sha256/posttest.dat index c6d6235f9..046d4cfdc 100644 --- a/testing/tests/ikev1/alg-sha256/posttest.dat +++ b/testing/tests/ikev1/alg-sha256/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/alg-sha256/pretest.dat b/testing/tests/ikev1/alg-sha256/pretest.dat index 7d077c126..4fc25772b 100644 --- a/testing/tests/ikev1/alg-sha256/pretest.dat +++ b/testing/tests/ikev1/alg-sha256/pretest.dat @@ -1,5 +1,6 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start -carol::sleep 2 +carol::ipsec start +carol::sleep 1 carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha256/test.conf b/testing/tests/ikev1/alg-sha256/test.conf index 6abbb89a9..4a5fc470f 100644 --- a/testing/tests/ikev1/alg-sha256/test.conf +++ b/testing/tests/ikev1/alg-sha256/test.conf @@ -1,22 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/alg-sha384/description.txt b/testing/tests/ikev1/alg-sha384/description.txt index 251e2e6a2..2255fe8fb 100644 --- a/testing/tests/ikev1/alg-sha384/description.txt +++ b/testing/tests/ikev1/alg-sha384/description.txt @@ -1,4 +1,4 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite -<b>AES_CBC_192 / HMAC_SHA2_384 / MODP_3072</b> for the IKE protocol and -<b>AES_CBC_192 / HMAC_SHA2_384</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b> +in ipsec.conf. The same cipher suite is used for IKE. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat index 4da5ec5e7..3b24217c5 100644 --- a/testing/tests/ikev1/alg-sha384/evaltest.dat +++ b/testing/tests/ikev1/alg-sha384/evaltest.dat @@ -1,12 +1,13 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES -moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_3072::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES -moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_384::YES -carol::ip xfrm state::auth hmac(sha384)::YES -moon::ip xfrm state::auth hmac(sha384)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES +moon:: ip xfrm state::auth-trunc hmac(sha384)::YES +carol::ip xfrm state::auth-trunc hmac(sha384)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES - diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf index 42df1dccd..6f1519f2c 100755..100644 --- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,14 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes192-sha384-modp3072! - esp=aes192-sha384! + esp=aes192-sha384-modp3072! conn home left=PH_IP_CAROL + leftfirewall=yes leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - auto=add + auto=add diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf index a75d370aa..919ee9b09 100755..100644 --- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,13 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes192-sha384-modp3072! - esp=aes192-sha384! + esp=aes192-sha384-modp3072! conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 right=%any - rightid=carol@strongswan.org auto=add diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha384/posttest.dat b/testing/tests/ikev1/alg-sha384/posttest.dat index c6d6235f9..046d4cfdc 100644 --- a/testing/tests/ikev1/alg-sha384/posttest.dat +++ b/testing/tests/ikev1/alg-sha384/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/alg-sha384/pretest.dat b/testing/tests/ikev1/alg-sha384/pretest.dat index 7d077c126..4fc25772b 100644 --- a/testing/tests/ikev1/alg-sha384/pretest.dat +++ b/testing/tests/ikev1/alg-sha384/pretest.dat @@ -1,5 +1,6 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start -carol::sleep 2 +carol::ipsec start +carol::sleep 1 carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha384/test.conf b/testing/tests/ikev1/alg-sha384/test.conf index 6abbb89a9..4a5fc470f 100644 --- a/testing/tests/ikev1/alg-sha384/test.conf +++ b/testing/tests/ikev1/alg-sha384/test.conf @@ -1,22 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/alg-sha512/description.txt b/testing/tests/ikev1/alg-sha512/description.txt index adfc548b8..bf79a3bff 100644 --- a/testing/tests/ikev1/alg-sha512/description.txt +++ b/testing/tests/ikev1/alg-sha512/description.txt @@ -1,4 +1,4 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite -<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and -<b>AES_CBC_256 / HMAC_SHA2_512</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CBC_256 / HMAC_SHA2_512_256</b> by defining <b>esp=aes256-sha512-modp4096!</b> +in ipsec.conf. The same cipher suite is used for IKE. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha512/evaltest.dat b/testing/tests/ikev1/alg-sha512/evaltest.dat index 7e928d30b..6bdceeb44 100644 --- a/testing/tests/ikev1/alg-sha512/evaltest.dat +++ b/testing/tests/ikev1/alg-sha512/evaltest.dat @@ -1,12 +1,13 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES -moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_4096::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES -moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_512::YES -carol::ip xfrm state::auth hmac(sha512)::YES -moon::ip xfrm state::auth hmac(sha512)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES +moon:: ip xfrm state::auth-trunc hmac(sha512)::YES +carol::ip xfrm state::auth-trunc hmac(sha512)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES - diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf index 329de395c..79272111c 100755..100644 --- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,14 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes256-sha512-modp4096! - esp=aes256-sha512! + esp=aes256-sha512-modp4096! conn home left=PH_IP_CAROL + leftfirewall=yes leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - auto=add + auto=add diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf index 8da459a8a..bdfcb4e4d 100755..100644 --- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,13 @@ conn %default keyingtries=1 keyexchange=ikev1 ike=aes256-sha512-modp4096! - esp=aes256-sha512! + esp=aes256-sha512-modp4096! conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 right=%any - rightid=carol@strongswan.org auto=add diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha512/posttest.dat b/testing/tests/ikev1/alg-sha512/posttest.dat index c6d6235f9..046d4cfdc 100644 --- a/testing/tests/ikev1/alg-sha512/posttest.dat +++ b/testing/tests/ikev1/alg-sha512/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/alg-sha512/pretest.dat b/testing/tests/ikev1/alg-sha512/pretest.dat index 7d077c126..4fc25772b 100644 --- a/testing/tests/ikev1/alg-sha512/pretest.dat +++ b/testing/tests/ikev1/alg-sha512/pretest.dat @@ -1,5 +1,6 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start -carol::sleep 2 +carol::ipsec start +carol::sleep 1 carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha512/test.conf b/testing/tests/ikev1/alg-sha512/test.conf index 6abbb89a9..4a5fc470f 100644 --- a/testing/tests/ikev1/alg-sha512/test.conf +++ b/testing/tests/ikev1/alg-sha512/test.conf @@ -1,22 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/attr-cert/description.txt b/testing/tests/ikev1/attr-cert/description.txt deleted file mode 100644 index b7f809c36..000000000 --- a/testing/tests/ikev1/attr-cert/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b> -is granted to members of the group 'Research' whereas <b>venus</b> can only -be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors -<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting', -respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b> -can reach <b>venus</b>.
\ No newline at end of file diff --git a/testing/tests/ikev1/attr-cert/evaltest.dat b/testing/tests/ikev1/attr-cert/evaltest.dat deleted file mode 100644 index c6c3c66c3..000000000 --- a/testing/tests/ikev1/attr-cert/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::alice.*peer with attributes .*Research.* is a member of the groups .*Research::YES -moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO -moon::cat /var/log/auth.log::venus.*peer with attributes .*Research.* is not a member of the groups .*Accounting::YES -moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO -dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::venus.*peer with attributes .*Accounting.* is a member of the groups .*Accounting::YES -moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES -dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO -moon::cat /var/log/auth.log::alice.*peer with attributes .*Accounting.* is not a member of the groups .*Research::YES -moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf deleted file mode 100755 index a84b3a6b2..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add - - - - - diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 11cf4d5d1..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightgroups=Research - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightgroups="Accounting, Sales" - auto=add - diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem deleted file mode 100644 index 61d1c34e2..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEKjCCAxKgAwIBAgIBHzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDIyNzIxMDUzMFoXDTE1MDIyNjIxMDUzMFowZjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv -cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKw0NWg8FpkrWoItNzexEiaS -dESF+blw2+2y51vVmbDk9edfJcjkzBNIEvY/0GXODmcthjExiTNgmNuCdQwapCHx -p39HaD902rzmvflI40dZTmlFcn0Pp41wNbvjVaOpn7f6Mov68YmsoLQr47+OU6sn -d3c8rx+BXO4g6YyRB0xpwB2kfO34FZh7FwOe4sVAJu5E7urK0hij2W1+adZNFg7K -SP2i7llfooxWpS+6Vi6ZjuJ/dcGyvXpXnr0H2x58sZeaB5n8Ay+mhPDX72xXfwEm -s7fztkhqmmix2TVEH96dR99ouCENF1Cm8OCbR1kkhWReL6P0tCbirbwFbZxKtOUC -AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFEvO -LmT1B7kU0IJsJtK+0nZMwxXgMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq -Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh -bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh -QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry -b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQELBQADggEBAI2K -atqWeSWcxmcylrBJXkXDOsZtFZAE/kGWD5+T/lDFzE5D0GeDWfHehojtooWGpnL3 -u7xo3h3+qVliYcCFy1zKtPE0lwkBWKFPSw4UNfOmaF4De6Tp1V6FSQE9JPNpcTL/ -aPWFkX69Py8elR8OIsXPlFtOfTbtjZxoGuLNn7BX1XjctG5iIhKs/3TVMdzcyjVL -wKiDE1xq8/Es2pPTgvF8jk7VcNyIGhrlj1IYq35h0RKTSXTCRlczf+lzoPo6Duov -G0r/8VLpI4bBmKN4cIvaRCa4zew8SWpJzg/06zm2QT8eEJVVB499usVf9OVS3Qa5 -8mcNXcKmqcyP2Tlnvbo= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem deleted file mode 100644 index 250441ad0..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/aaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArDQ1aDwWmStagi03N7ESJpJ0RIX5uXDb7bLnW9WZsOT1518l -yOTME0gS9j/QZc4OZy2GMTGJM2CY24J1DBqkIfGnf0doP3TavOa9+UjjR1lOaUVy -fQ+njXA1u+NVo6mft/oyi/rxiaygtCvjv45Tqyd3dzyvH4Fc7iDpjJEHTGnAHaR8 -7fgVmHsXA57ixUAm7kTu6srSGKPZbX5p1k0WDspI/aLuWV+ijFalL7pWLpmO4n91 -wbK9eleevQfbHnyxl5oHmfwDL6aE8NfvbFd/ASazt/O2SGqaaLHZNUQf3p1H32i4 -IQ0XUKbw4JtHWSSFZF4vo/S0JuKtvAVtnEq05QIDAQABAoIBAQCbfhUPhtp8+imi -zANFFW2nSK0VxsgEi4T7MIU6Zjh+A3CLuF2c9gPUEUuV8W9SzeoxfmjieLFDpCDC -bR0VjeTRBazR//+A9RoiYlP+CbO4FEr6QYwsovsPetf6TT9iJeMjtBb6UODTCP6f -UdY3fOPN8zgrga87yorINw3MMJSfiI21zSzCkueOQloktBgih5Wueu8FDFUB2fVa -uLTUa+wOhXUBPyF5OXLox5TxE6gBPkiUsnNXP8X/kHLPk2iBQmdxz+uwG/Pz6pS2 -JsmX2WzFJ0+Rj4cJpoa4Ev5uAx79kcXnQT3d5/HIwuh7ZEMKorb1m8w8lhAW4ARU -ddjhLkWhAoGBAOCpDGfLwQHWVejOcjEwfWts0hHLdlNfZEgsLSex2k/U6Mk1TjCo -tAHQOvmqxZDxypJEem3RPaWZh+gttTpHvGkS9fsvTpyARcDp0FXI40hwARPsnMbI -0fDmpVfOOLZdQKMDg42TrZC/mipU68gFP/rYC7xalJs0pe0LL3ffsSC5AoGBAMQ5 -3V6nuucpL87I0fKg56z0/3lcRxI46KuIXhHSAjxNb76cQuxiK8s5TPCot3Unq6GQ -R7Y+dYd1FVEh2i3Q7/Yh/BSeYiDcDf5aELCwY32O/OnSSoNTbgGR5FT+/SHJK5bg -j/O5S7+dajqtC2JZJl8smOeB5c187bc4FU72+6eNAoGAZUiRSTI434Ur0ftQzBBa -WtYClvctb0TwRwFzkhPCon8QO7YGfDVygebIz8pHq6L2ep7Yuy28Jy5icTA6Jf41 -WQGtWALp4/CIggJnZGVe4kdslPj1bUEYNQ0mucFFHCJKg7OP2YIcm8dlz3PdoJ2N -TJ+eGtqTaK2BqK6ERfzZNDECgYBbVTOcYyWzgpAmB4LxE8PB1Sc0LadG7AYgERD3 -6m/v8XsZlVHxBKCtrrYJLf52IUjZonY+dUPvEKgjY0ZSHPYT8i2Ky02RTduVkAZE -t1UXk/5UNvVHuwVw5Z8JkMXxe9k2GL/oCU8gmPxg4zpxRF1/3xosZ2G3C3b52LjS -UFNB4QKBgDX2UmLgRHAXDsmksNZaMUSNk+xws0B1M/EDd9h7e79ilENkOPDLo5+E -z22WPNrgzKEUz44FZZOsislfPE7ffgQcRTxtNWqoElwxuHLuy46jaReL7zJSDtpv -wtn4YoOpH0DnC994nziTQif33FBF/2o8hWoq4vcXKNSMGTwGzi/a ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem deleted file mode 100644 index 6c41df9c7..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/carolCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx -6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ -Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V -Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G -I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov -x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5 -tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul -GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7 -ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr -F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ -L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK -ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k -Rf5Z0GOR ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem deleted file mode 100644 index f212e19cf..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/daveCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBHDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA5MDgyNzEwMzczOVoXDTE0MDgyNjEwMzczOVowWzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 -bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDAB/JTbwVY5oNF0+8Behdbc0NOeX+bl0SOcgpZ -ha6nbMBQO41jtOI5r5Xbg9sK9l+DYOnZQZEsEhIVZDoK8yGI/FIEE+gWRf+OLmI8 -k2K+G1dklTC/VP2tZWMQYQWs6UnX3iiVpHccI3CQqqJWe9fZsIsq0J9j9hu6h9dG -IEbon6RXDLPI5DIiIKc3r0jDHNDsIUDzcjuUdCxKFCMuHUCfa1PBiqpj5pP6XT0G -gI6UjbgnNWPTPb2axE7P1x5gQmVwiFiYs+VTh2fq9O9xNxnn/YmzLk4/YNly7xYX -Q31NuhSvRpH7jsJ1p4VSuunYqvccPUKsp5PvCtCeGvNT2qt1AgMBAAGjggEFMIIB -ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU7n842u6huBpBd394 -8mdL6EOdjg4wbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQAyAbxrpMtTARw3 -jvBwuapaHXnTppz+TkWyfXVpgTwtPlf3rbhPk4DjhT2ygyMTI1azoqProf2aBbDr -DldCSQPsZAcuzOdruKKMo2CQwgLuBFXL+JUX0hiIpFS1ZZHA2aDKyUw4OyADOvDU -8r1/WiwRb91TdYP9nEu9qP30k0vkUg8DCbCmPI1/MVaxVzh9LRAFyOHrnKSCXG7o -StmVFm2Yf3pE4HS1W6DtommyPs7aUD5XAaQdr3DYKI/TazoU6t5g2aEqigu+pj2M -qk5idJkx5VCFvUU1hlChyX6NNNjJNnV6u5YiuatcdYQhpCTBsxnBoM+w0BvNOCl+ -1PdgEy1K ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf deleted file mode 100644 index 134218eec..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/openac/default.conf +++ /dev/null @@ -1,4 +0,0 @@ ---cert /etc/ipsec.d/aacerts/aaCert.pem ---key /etc/openac/aaKey.pem ---quiet ---hours 8 diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 1a47aeb7d..000000000 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -openac { - load = sha1 sha2 md5 pem pkcs1 x509 gmp random x509 -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/attr-cert/posttest.dat b/testing/tests/ikev1/attr-cert/posttest.dat deleted file mode 100644 index a59c3ff63..000000000 --- a/testing/tests/ikev1/attr-cert/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/openac/* -moon::rm /etc/ipsec.d/aacerts/aaCert.pem -moon::rm /etc/ipsec.d/acerts/* diff --git a/testing/tests/ikev1/attr-cert/pretest.dat b/testing/tests/ikev1/attr-cert/pretest.dat deleted file mode 100644 index 3c7fb5dc6..000000000 --- a/testing/tests/ikev1/attr-cert/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::cat /etc/openac/default.conf -moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem 2> /dev/null -moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up alice -carol::ipsec up venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev1/attr-cert/test.conf b/testing/tests/ikev1/attr-cert/test.conf deleted file mode 100644 index 08e5cc145..000000000 --- a/testing/tests/ikev1/attr-cert/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/compress/evaltest.dat b/testing/tests/ikev1/compress/evaltest.dat index ff72e1762..2ec840c68 100644 --- a/testing/tests/ikev1/compress/evaltest.dat +++ b/testing/tests/ikev1/compress/evaltest.dat @@ -1,10 +1,9 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::policy.*COMPRESS::YES -carol::ipsec statusall::policy.*COMPRESS::YES -moon::ipsec statusall::comp.::YES -carol::ipsec statusall::comp.::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: ip xfrm state::proto comp spi::YES +carol::ip xfrm state::proto comp spi::YES carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf index f5050fef1..291b8cc93 100755..100644 --- a/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/compress/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf index aaf13f5fc..28cf2d1c0 100755..100644 --- a/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/compress/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/compress/pretest.dat b/testing/tests/ikev1/compress/pretest.dat index 7d077c126..f5aa989fe 100644 --- a/testing/tests/ikev1/compress/pretest.dat +++ b/testing/tests/ikev1/compress/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start moon::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev1/compress/test.conf b/testing/tests/ikev1/compress/test.conf index 6abbb89a9..d7b71426c 100644 --- a/testing/tests/ikev1/compress/test.conf +++ b/testing/tests/ikev1/compress/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/mode-config/description.txt b/testing/tests/ikev1/config-payload/description.txt index 3e67f83f1..ff6928e89 100644 --- a/testing/tests/ikev1/mode-config/description.txt +++ b/testing/tests/ikev1/config-payload/description.txt @@ -1,6 +1,6 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol -by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically +by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b> diff --git a/testing/tests/ikev1/config-payload/evaltest.dat b/testing/tests/ikev1/config-payload/evaltest.dat new file mode 100644 index 000000000..b46dfddf6 --- /dev/null +++ b/testing/tests/ikev1/config-payload/evaltest.dat @@ -0,0 +1,26 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf index 3fbad9070..5a77f8707 100755..100644 --- a/testing/tests/ikev1/crl-to-cache/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - cachecrls=yes - charonstart=no conn %default ikelifetime=60m @@ -12,11 +8,13 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + +conn home left=PH_IP_CAROL + leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org - -conn home + leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0e4e57729 --- /dev/null +++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf index e1c864e58..6ea2d2bb1 100755..100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m @@ -12,7 +8,6 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - modeconfig=push conn home left=PH_IP_DAVE diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..0e4e57729 --- /dev/null +++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf index 37278081e..819a25437 100755..100644 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,10 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - rekey=no left=PH_IP_MOON leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..002166a54 --- /dev/null +++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} diff --git a/testing/tests/ikev1/config-payload/posttest.dat b/testing/tests/ikev1/config-payload/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/config-payload/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/config-payload/pretest.dat b/testing/tests/ikev1/config-payload/pretest.dat new file mode 100644 index 000000000..3864bdac3 --- /dev/null +++ b/testing/tests/ikev1/config-payload/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/config-payload/test.conf b/testing/tests/ikev1/config-payload/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev1/config-payload/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/crl-from-cache/description.txt b/testing/tests/ikev1/crl-from-cache/description.txt deleted file mode 100644 index 17866f572..000000000 --- a/testing/tests/ikev1/crl-from-cache/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates -an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in -their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify -the certificate received from their peer. diff --git a/testing/tests/ikev1/crl-from-cache/evaltest.dat b/testing/tests/ikev1/crl-from-cache/evaltest.dat deleted file mode 100644 index bdceddb79..000000000 --- a/testing/tests/ikev1/crl-from-cache/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::cat /var/log/auth.log::loaded crl from::YES -carol::cat /var/log/auth.log::loaded crl from::YES -moon::cat /var/log/auth.log::X.509 certificate rejected::NO -carol::cat /var/log/auth.log::X.509 certificate rejected::NO -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::written crl file::NO -carol::cat /var/log/auth.log::written crl file::NO -moon::ipsec listcrls:: ok::YES -carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf deleted file mode 100755 index bb1879b1d..000000000 --- a/testing/tests/ikev1/crl-from-cache/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - cachecrls=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf deleted file mode 100755 index ec0bc2e88..000000000 --- a/testing/tests/ikev1/crl-from-cache/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,35 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - cachecrls=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn net-net - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add - -conn host-host - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add - -conn rw - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/crl-from-cache/posttest.dat b/testing/tests/ikev1/crl-from-cache/posttest.dat deleted file mode 100644 index be17847c1..000000000 --- a/testing/tests/ikev1/crl-from-cache/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/crls/* -carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev1/crl-from-cache/pretest.dat b/testing/tests/ikev1/crl-from-cache/pretest.dat deleted file mode 100644 index acdb265ed..000000000 --- a/testing/tests/ikev1/crl-from-cache/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::wget -q http://crl.strongswan.org/strongswan.crl -moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl -carol::wget -q http://crl.strongswan.org/strongswan.crl -carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/crl-from-cache/test.conf b/testing/tests/ikev1/crl-from-cache/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/crl-from-cache/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-ldap/description.txt b/testing/tests/ikev1/crl-ldap/description.txt deleted file mode 100644 index 02dc0cbbe..000000000 --- a/testing/tests/ikev1/crl-ldap/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates -the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is -available, the Main Mode negotiation fails. A http fetch for an updated CRL fails -because the web server is currently not reachable. Thus the second Main Mode negotiation -fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> -is triggered. When the third Main Mode trial comes around, the fetched CRL has become -available and the IKE negotiation completes. The new CRL is again cached locally as a -file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option. diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat deleted file mode 100644 index 80a84e1ef..000000000 --- a/testing/tests/ikev1/crl-ldap/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon::cat /var/log/auth.log::loaded crl from::YES -carol::cat /var/log/auth.log::loaded crl from::YES -moon::cat /var/log/auth.log::crl is stale::YES -carol::cat /var/log/auth.log::crl is stale::YES -moon::cat /var/log/auth.log::X.509 certificate rejected::YES -carol::cat /var/log/auth.log::X.509 certificate rejected::YES -moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES -carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::written crl file::YES -carol::cat /var/log/auth.log::written crl file::YES -moon::ipsec listcrls:: ok::YES -carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables deleted file mode 100755 index 571459bae..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/init.d/iptables +++ /dev/null @@ -1,73 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow ldap crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 5a7668c64..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - cachecrls=yes - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=2 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl Binary files differdeleted file mode 100644 index 75e8b0959..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +++ /dev/null diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 71358d6c6..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 8de514a2e..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,76 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow ldap crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 1b80c0ddd..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,41 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - cachecrls=yes - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=2 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn net-net - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add - -conn host-host - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add - -conn rw - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl Binary files differdeleted file mode 100644 index 75e8b0959..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +++ /dev/null diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 71358d6c6..000000000 --- a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/crl-ldap/posttest.dat b/testing/tests/ikev1/crl-ldap/posttest.dat deleted file mode 100644 index bddd87424..000000000 --- a/testing/tests/ikev1/crl-ldap/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -winnetou::/etc/init.d/slapd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/crls/* -carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev1/crl-ldap/pretest.dat b/testing/tests/ikev1/crl-ldap/pretest.dat deleted file mode 100644 index 64fa8116b..000000000 --- a/testing/tests/ikev1/crl-ldap/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -winnetou::/etc/init.d/slapd start -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home -carol::sleep 3 diff --git a/testing/tests/ikev1/crl-ldap/test.conf b/testing/tests/ikev1/crl-ldap/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/crl-ldap/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-revoked/description.txt b/testing/tests/ikev1/crl-revoked/description.txt deleted file mode 100644 index 780068ce6..000000000 --- a/testing/tests/ikev1/crl-revoked/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates -the connection and no current CRL is available, the Main Mode negotiation fails -and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered. -When the second Main Mode trial comes around the fetched CRL will be available -but because the certificate presented by carol has been revoked, -the IKE negotatiation will fail. diff --git a/testing/tests/ikev1/crl-revoked/evaltest.dat b/testing/tests/ikev1/crl-revoked/evaltest.dat deleted file mode 100644 index 0fd1cae8c..000000000 --- a/testing/tests/ikev1/crl-revoked/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::cat /var/log/auth.log::X.509 certificate rejected::YES -moon::cat /var/log/auth.log::certificate was revoked::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::ipsec listcrls:: ok::YES -moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO -carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 77f6cfcb0..000000000 --- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolRevokedCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem deleted file mode 100644 index a92610c4f..000000000 --- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr -lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD -e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG -Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi -+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ -TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh -ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/ -jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl -nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC -6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a -cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f -q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z -0xafBd5x ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem deleted file mode 100644 index 60e7fdfa9..000000000 --- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB -msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf -AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B -hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F -dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9 -dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O -fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH -Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc -M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI -0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2 -oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH -VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx -ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm -VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g -I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0 -bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD -yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2 -u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN -dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12 -coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx -VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f -YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4 -lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6 -95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P -b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 1c011dccb..000000000 --- a/testing/tests/ikev1/crl-revoked/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn net-net - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add - -conn host-host - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add - -conn rw - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/crl-revoked/posttest.dat b/testing/tests/ikev1/crl-revoked/posttest.dat deleted file mode 100644 index d742e8410..000000000 --- a/testing/tests/ikev1/crl-revoked/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/crl-revoked/pretest.dat b/testing/tests/ikev1/crl-revoked/pretest.dat deleted file mode 100644 index d92333d86..000000000 --- a/testing/tests/ikev1/crl-revoked/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/crl-revoked/test.conf b/testing/tests/ikev1/crl-revoked/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/crl-revoked/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-strict/description.txt b/testing/tests/ikev1/crl-strict/description.txt deleted file mode 100644 index 97011482e..000000000 --- a/testing/tests/ikev1/crl-strict/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates -the connection and no current CRL is available, the Main Mode negotiation fails -but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered. -When the second Main Mode trial comes around, the fetched CRL will be available -and the IKE negotiation completes. diff --git a/testing/tests/ikev1/crl-strict/evaltest.dat b/testing/tests/ikev1/crl-strict/evaltest.dat deleted file mode 100644 index 1d7adb05e..000000000 --- a/testing/tests/ikev1/crl-strict/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::cat /var/log/auth.log::X.509 certificate rejected::YES -carol::cat /var/log/auth.log::X.509 certificate rejected::YES -moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec listcrls:: ok::YES -carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 1c011dccb..000000000 --- a/testing/tests/ikev1/crl-strict/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,34 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn net-net - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add - -conn host-host - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add - -conn rw - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/crl-strict/pretest.dat b/testing/tests/ikev1/crl-strict/pretest.dat deleted file mode 100644 index d92333d86..000000000 --- a/testing/tests/ikev1/crl-strict/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/crl-strict/test.conf b/testing/tests/ikev1/crl-strict/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/crl-strict/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/crl-to-cache/description.txt b/testing/tests/ikev1/crl-to-cache/description.txt deleted file mode 100644 index 9f542e73d..000000000 --- a/testing/tests/ikev1/crl-to-cache/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched -via http from the web server <b>winnetou</b> is saved locally in the -directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b> -and the gateway <b>moon</b> when the IPsec connection is set up. The -<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b> -is used as a unique filename for the cached CRL. diff --git a/testing/tests/ikev1/crl-to-cache/evaltest.dat b/testing/tests/ikev1/crl-to-cache/evaltest.dat deleted file mode 100644 index be7737185..000000000 --- a/testing/tests/ikev1/crl-to-cache/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES -carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/ikev1/crl-to-cache/posttest.dat b/testing/tests/ikev1/crl-to-cache/posttest.dat deleted file mode 100644 index be17847c1..000000000 --- a/testing/tests/ikev1/crl-to-cache/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/crls/* -carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev1/crl-to-cache/pretest.dat b/testing/tests/ikev1/crl-to-cache/pretest.dat deleted file mode 100644 index d92333d86..000000000 --- a/testing/tests/ikev1/crl-to-cache/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/crl-to-cache/test.conf b/testing/tests/ikev1/crl-to-cache/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/crl-to-cache/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/default-keys/description.txt b/testing/tests/ikev1/default-keys/description.txt deleted file mode 100644 index 639e909da..000000000 --- a/testing/tests/ikev1/default-keys/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b> -and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key -and a self-signed X.509 certificate. Because the UML testing environment does -not offer enough entropy, the non-blocking /dev/urandom device is used in place -of /dev/random for generating the random primes. -<p> -The self-signed certificates are then distributed to the peers via scp -and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/ikev1/default-keys/evaltest.dat b/testing/tests/ikev1/default-keys/evaltest.dat deleted file mode 100644 index a18e3997e..000000000 --- a/testing/tests/ikev1/default-keys/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::cat /var/log/auth.log::scepclient::YES -moon::cat /var/log/auth.log::scepclient::YES -carol::cat /var/log/auth.log::we have a cert but are not sending it::YES -moon::cat /var/log/auth.log::we have a cert but are not sending it::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 4d5bff62c..000000000 --- a/testing/tests/ikev1/default-keys/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=0 - strictcrlpolicy=no - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=selfCert.der - leftsendcert=never - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightcert=peerCert.der - auto=add diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf deleted file mode 100644 index e589a9425..000000000 --- a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 13ad3063f..000000000 --- a/testing/tests/ikev1/default-keys/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A INPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf deleted file mode 100755 index dd7ae0b20..000000000 --- a/testing/tests/ikev1/default-keys/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=0 - strictcrlpolicy=no - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn carol - left=PH_IP_MOON - leftcert=selfCert.der - leftsendcert=never - leftfirewall=yes - leftsubnet=10.1.0.0/16 - right=%any - rightcert=peerCert.der - auto=add - diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf deleted file mode 100644 index e589a9425..000000000 --- a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/default-keys/posttest.dat b/testing/tests/ikev1/default-keys/posttest.dat deleted file mode 100644 index 8cada5e7e..000000000 --- a/testing/tests/ikev1/default-keys/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/default-keys/pretest.dat b/testing/tests/ikev1/default-keys/pretest.dat deleted file mode 100644 index 88f9a2ca9..000000000 --- a/testing/tests/ikev1/default-keys/pretest.dat +++ /dev/null @@ -1,18 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::rm /etc/ipsec.secrets -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/cacerts/* -carol::ipsec start -moon::rm /etc/ipsec.secrets -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -moon::sleep 5 -moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der -moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der -moon::ipsec reload -carol::ipsec reload -carol::ipsec up home diff --git a/testing/tests/ikev1/default-keys/test.conf b/testing/tests/ikev1/default-keys/test.conf deleted file mode 100644 index 0baa48d90..000000000 --- a/testing/tests/ikev1/default-keys/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol" - -# Corresponding block diagram -# -DIAGRAM="a-m-c.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/double-nat-net/evaltest.dat b/testing/tests/ikev1/double-nat-net/evaltest.dat index d00613c07..52c561964 100644 --- a/testing/tests/ikev1/double-nat-net/evaltest.dat +++ b/testing/tests/ikev1/double-nat-net/evaltest.dat @@ -1,5 +1,7 @@ -alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES +bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf index caad279bb..836a8b322 100755..100644 --- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/ipsec.conf @@ -1,11 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf index 32d2ab0f6..fa1ccacb1 100755..100644 --- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf +++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/ipsec.conf @@ -1,11 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no conn %default ikelifetime=60m @@ -21,5 +16,5 @@ conn nat-t leftid=bob@strongswan.org leftfirewall=yes right=%any - rightsubnetwithin=10.1.0.0/16 + rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/double-nat-net/posttest.dat b/testing/tests/ikev1/double-nat-net/posttest.dat index 484297418..63d4f98e7 100644 --- a/testing/tests/ikev1/double-nat-net/posttest.dat +++ b/testing/tests/ikev1/double-nat-net/posttest.dat @@ -1,7 +1,7 @@ bob::ipsec stop alice::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -bob::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F moon::conntrack -F diff --git a/testing/tests/ikev1/double-nat-net/pretest.dat b/testing/tests/ikev1/double-nat-net/pretest.dat index 84bc15092..17a4fe5eb 100644 --- a/testing/tests/ikev1/double-nat-net/pretest.dat +++ b/testing/tests/ikev1/double-nat-net/pretest.dat @@ -1,8 +1,5 @@ -alice::/etc/init.d/iptables start 2> /dev/null -bob::/etc/init.d/iptables start 2> /dev/null -bob::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +bob::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 @@ -12,4 +9,4 @@ alice::ipsec start bob::ipsec start alice::sleep 2 alice::ipsec up nat-t - +alice::sleep 1 diff --git a/testing/tests/ikev1/double-nat-net/test.conf b/testing/tests/ikev1/double-nat-net/test.conf index 1ca2ffe5a..d2e31d257 100644 --- a/testing/tests/ikev1/double-nat-net/test.conf +++ b/testing/tests/ikev1/double-nat-net/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice bob" diff --git a/testing/tests/ikev1/double-nat/evaltest.dat b/testing/tests/ikev1/double-nat/evaltest.dat index 05e751422..9ddad2de5 100644 --- a/testing/tests/ikev1/double-nat/evaltest.dat +++ b/testing/tests/ikev1/double-nat/evaltest.dat @@ -1,5 +1,7 @@ -alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES +bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf index 7de7a951e..6b40252cf 100755..100644 --- a/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/ipsec.conf @@ -1,11 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf new file mode 100644 index 000000000..89640564d --- /dev/null +++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn nat-t + left=%defaultroute + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftfirewall=yes + right=%any + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/double-nat/posttest.dat b/testing/tests/ikev1/double-nat/posttest.dat index 5d39e406d..aa806bfc9 100644 --- a/testing/tests/ikev1/double-nat/posttest.dat +++ b/testing/tests/ikev1/double-nat/posttest.dat @@ -1,7 +1,7 @@ bob::ipsec stop alice::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -bob::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F moon::conntrack -F diff --git a/testing/tests/ikev1/double-nat/pretest.dat b/testing/tests/ikev1/double-nat/pretest.dat index cf495b778..65f18b756 100644 --- a/testing/tests/ikev1/double-nat/pretest.dat +++ b/testing/tests/ikev1/double-nat/pretest.dat @@ -1,7 +1,5 @@ -alice::/etc/init.d/iptables start 2> /dev/null -bob::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +bob::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 @@ -10,4 +8,4 @@ alice::ipsec start bob::ipsec start alice::sleep 2 alice::ipsec up nat-t - +alice::sleep 1 diff --git a/testing/tests/ikev1/double-nat/test.conf b/testing/tests/ikev1/double-nat/test.conf index 1ca2ffe5a..d2e31d257 100644 --- a/testing/tests/ikev1/double-nat/test.conf +++ b/testing/tests/ikev1/double-nat/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice bob" diff --git a/testing/tests/ikev1/dpd-clear/description.txt b/testing/tests/ikev1/dpd-clear/description.txt index f76b2d741..7f62dc576 100644 --- a/testing/tests/ikev1/dpd-clear/description.txt +++ b/testing/tests/ikev1/dpd-clear/description.txt @@ -1,5 +1,5 @@ The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b> which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s. When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted, -<b>moon</b> clears the connection after the configured timeout of 30 s. +<b>moon</b> clears the connection after 4 unsuccessful retransmits. diff --git a/testing/tests/ikev1/dpd-clear/evaltest.dat b/testing/tests/ikev1/dpd-clear/evaltest.dat index 98d5b146b..f6f18212c 100644 --- a/testing/tests/ikev1/dpd-clear/evaltest.dat +++ b/testing/tests/ikev1/dpd-clear/evaltest.dat @@ -1,7 +1,7 @@ -carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::sleep 50::no output expected::NO -moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES -moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES -moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES -moon::cat /var/log/auth.log::DPD: Clearing connection::YES +moon:: sleep 60::no output expected::NO +moon:: cat /var/log/daemon.log::sending DPD request::YES +moon::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf index 528e3f1b3..6812907e8 100755..100644 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/ipsec.conf @@ -1,17 +1,12 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - keyexchange=ikev1 conn home left=PH_IP_CAROL @@ -21,4 +16,5 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + keyexchange=ikev1 auto=add diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf index 34490a13a..83f2849a4 100755..100644 --- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,7 +10,7 @@ conn %default keyexchange=ikev1 dpdaction=clear dpddelay=10 - dpdtimeout=30 + dpdtimeout=45 conn rw left=PH_IP_MOON @@ -24,6 +20,3 @@ conn rw right=%any rightid=carol@strongswan.org auto=add - - - diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/dpd-clear/test.conf b/testing/tests/ikev1/dpd-clear/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev1/dpd-clear/test.conf +++ b/testing/tests/ikev1/dpd-clear/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/dpd-restart/description.txt b/testing/tests/ikev1/dpd-restart/description.txt index 0a309cf52..410d3d636 100644 --- a/testing/tests/ikev1/dpd-restart/description.txt +++ b/testing/tests/ikev1/dpd-restart/description.txt @@ -1,13 +1,7 @@ -The peer <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end -is defined symbolically by <b>right=%<hostname></b>. The ipsec starter resolves the -fully-qualified hostname into the current IP address via a DNS lookup (simulated by an -/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option -<b>rightallowany=yes</b> will allow an IKE main mode rekeying to arrive from an arbitrary -IP address under the condition that the peer identity remains unchanged. When this happens -the old tunnel is replaced by an IPsec connection to the new origin. -<p> -In this scenario <b>moon</b> first initiates a tunnel to <b>carol</b>. After some time -the responder <b>carol</b> disconnects (simulated by iptables blocking IKE and ESP traffic). -<b>moon</b> detects via Dead Peer Detection (DPD) that the connection is down and tries to -reconnect. After a few seconds the firewall is opened again and the connection is -reestablished. +The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway +<b>moon</b>. Both end points activate <b>Dead Peer Detection</b> (DPD) with a +polling interval of 10 s. When the network connectivity between <b>carol</b> +and <b>moon</b> is forcefully disrupted for a duration of 100 s, <b>moon</b> +clears the connection after 4 unsuccessful retransmits whereas <b>carol</b> +also takes down the connection but immediately tries to reconnect which succeeds +as soon as the connection becomes available again. diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 8bc2e8688..6a749b826 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -1,10 +1,13 @@ -moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES -carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -carol::sleep 35::no output expected::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +carol::sleep 60::no output expected::NO +carol::cat /var/log/daemon.log::sending DPD request::YES +carol::cat /var/log/daemon.log::DPD check timed out, enforcing DPD action::YES +carol::cat /var/log/daemon.log::restarting CHILD_SA home::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES -moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES -moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES -moon::cat /var/log/auth.log::DPD: Restarting connection::YES -moon::sleep 10::no output expected::NO -moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES +moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +carol::sleep 10::no output expected::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf index 3c0b0bf15..d3c105c31 100755..100644 --- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,15 +8,16 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + dpdaction=restart + dpddelay=10 + dpdtimeout=45 -conn moon - left=%defaultroute - leftnexthop=%direct - leftsourceip=PH_IP_CAROL1 +conn home + left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes - right=%moon.strongswan.org - rightsubnet=10.1.0.0/16 + right=PH_IP_MOON rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf index 9f1aded0f..79db53614 100755..100644 --- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,19 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - dpdaction=restart - dpddelay=5 - dpdtimeout=25 - -conn carol - left=%defaultroute - leftnexthop=%direct - leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 + dpdaction=clear + dpddelay=10 + dpdtimeout=45 +conn rw + left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org - leftfirewall=yes - right=%carol.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any rightid=carol@strongswan.org - rightsubnet=PH_IP_CAROL1/32 - auto=start + auto=add diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/dpd-restart/posttest.dat b/testing/tests/ikev1/dpd-restart/posttest.dat index e092608cb..c6d6235f9 100644 --- a/testing/tests/ikev1/dpd-restart/posttest.dat +++ b/testing/tests/ikev1/dpd-restart/posttest.dat @@ -1,5 +1,2 @@ -carol::ipsec stop moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 +carol::ipsec stop diff --git a/testing/tests/ikev1/dpd-restart/pretest.dat b/testing/tests/ikev1/dpd-restart/pretest.dat index caf89d6c6..14ed95322 100644 --- a/testing/tests/ikev1/dpd-restart/pretest.dat +++ b/testing/tests/ikev1/dpd-restart/pretest.dat @@ -1,5 +1,4 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start moon::ipsec start -moon::sleep 4 +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/dpd-restart/test.conf b/testing/tests/ikev1/dpd-restart/test.conf index 4d648102b..892f51cd9 100644 --- a/testing/tests/ikev1/dpd-restart/test.conf +++ b/testing/tests/ikev1/dpd-restart/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c-w-d.png" +DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon alice" +TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/dynamic-initiator/evaltest.dat b/testing/tests/ikev1/dynamic-initiator/evaltest.dat index 3105ae38c..61546f417 100644 --- a/testing/tests/ikev1/dynamic-initiator/evaltest.dat +++ b/testing/tests/ikev1/dynamic-initiator/evaltest.dat @@ -1,8 +1,10 @@ -carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES -moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES -moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES +moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES +moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf index acf503f8e..ef0d102c0 100755..100644 --- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,18 +10,12 @@ conn %default keyexchange=ikev1 conn moon - left=%defaultroute - leftnexthop=%direct - leftsourceip=PH_IP_CAROL1 + left=%any + leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes - right=moon.strongswan.org - rightallowany=yes + right=%moon.strongswan.org rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - - - - diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf index acf503f8e..ef0d102c0 100755..100644 --- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,18 +10,12 @@ conn %default keyexchange=ikev1 conn moon - left=%defaultroute - leftnexthop=%direct - leftsourceip=PH_IP_CAROL1 + left=%any + leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes - right=moon.strongswan.org - rightallowany=yes + right=%moon.strongswan.org rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - - - - diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf index ee28eebf3..6ab0ea5ab 100755..100644 --- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,17 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - left=%defaultroute - leftnexthop=%direct + +conn carol + left=%any leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes - -conn carol - right=carol.strongswan.org - rightallowany=yes + right=%carol.strongswan.org rightid=carol@strongswan.org - rightsubnet=PH_IP_CAROL1/32 + rightsourceip=PH_IP_CAROL1 auto=add diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-initiator/posttest.dat b/testing/tests/ikev1/dynamic-initiator/posttest.dat index c30a35edd..32ac12ddc 100644 --- a/testing/tests/ikev1/dynamic-initiator/posttest.dat +++ b/testing/tests/ikev1/dynamic-initiator/posttest.dat @@ -2,10 +2,6 @@ dave::ipsec stop carol::ipsec stop dave::sleep 1 moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_CAROL1/32 dev eth0 +carol::iptables-restore < /etc/iptables.flush dave::rm /etc/ipsec.d/certs/* dave::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index 92681011f..9aadb2a4c 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -1,6 +1,4 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +carol::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start @@ -10,4 +8,4 @@ carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 2 +dave::sleep 2 diff --git a/testing/tests/ikev1/dynamic-initiator/test.conf b/testing/tests/ikev1/dynamic-initiator/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev1/dynamic-initiator/test.conf +++ b/testing/tests/ikev1/dynamic-initiator/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/dynamic-responder/evaltest.dat b/testing/tests/ikev1/dynamic-responder/evaltest.dat index 391afaa42..61546f417 100644 --- a/testing/tests/ikev1/dynamic-responder/evaltest.dat +++ b/testing/tests/ikev1/dynamic-responder/evaltest.dat @@ -1,8 +1,10 @@ -carol::ipsec status::moon.*STATE_QUICK_R2.*IPsec SA established::YES -dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::PH_IP_CAROL.*IPsec SA established::YES -moon::cat /var/log/auth.log::PH_IP_DAVE.*deleting connection.*with peer PH_IP_CAROL::YES -moon::cat /var/log/auth.log::PH_IP_DAVE.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES +moon:: cat /var/log/daemon.log::deleting duplicate IKE_SA for.*carol@strongswan.org.*due to uniqueness policy::YES +moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf index acf503f8e..ef0d102c0 100755..100644 --- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,18 +10,12 @@ conn %default keyexchange=ikev1 conn moon - left=%defaultroute - leftnexthop=%direct - leftsourceip=PH_IP_CAROL1 + left=%any + leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes - right=moon.strongswan.org - rightallowany=yes + right=%moon.strongswan.org rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - - - - diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf index acf503f8e..ef0d102c0 100755..100644 --- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,18 +10,12 @@ conn %default keyexchange=ikev1 conn moon - left=%defaultroute - leftnexthop=%direct - leftsourceip=PH_IP_CAROL1 + left=%any + leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes - right=moon.strongswan.org - rightallowany=yes + right=%moon.strongswan.org rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - - - - diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf index ee28eebf3..6ab0ea5ab 100755..100644 --- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,17 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - left=%defaultroute - leftnexthop=%direct + +conn carol + left=%any leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes - -conn carol - right=carol.strongswan.org - rightallowany=yes + right=%carol.strongswan.org rightid=carol@strongswan.org - rightsubnet=PH_IP_CAROL1/32 + rightsourceip=PH_IP_CAROL1 auto=add diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-responder/posttest.dat b/testing/tests/ikev1/dynamic-responder/posttest.dat index c30a35edd..32ac12ddc 100644 --- a/testing/tests/ikev1/dynamic-responder/posttest.dat +++ b/testing/tests/ikev1/dynamic-responder/posttest.dat @@ -2,10 +2,6 @@ dave::ipsec stop carol::ipsec stop dave::sleep 1 moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_CAROL1/32 dev eth0 +carol::iptables-restore < /etc/iptables.flush dave::rm /etc/ipsec.d/certs/* dave::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index c0f166ff4..8dc744f9a 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -1,6 +1,4 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +carol::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start @@ -10,4 +8,4 @@ moon::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 2 +dave::sleep 2 diff --git a/testing/tests/ikev1/dynamic-responder/test.conf b/testing/tests/ikev1/dynamic-responder/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev1/dynamic-responder/test.conf +++ b/testing/tests/ikev1/dynamic-responder/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat index f46a6a20b..82d2e7318 100644 --- a/testing/tests/ikev1/dynamic-two-peers/evaltest.dat +++ b/testing/tests/ikev1/dynamic-two-peers/evaltest.dat @@ -1,9 +1,13 @@ -carol::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec status::moon.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf index 0f37e6188..ef0d102c0 100755..100644 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,9 +10,8 @@ conn %default keyexchange=ikev1 conn moon - left=%defaultroute - leftnexthop=%direct - leftsourceip=PH_IP_CAROL1 + left=%any + leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org leftfirewall=yes @@ -24,7 +19,3 @@ conn moon rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - - - - diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf index ec35eac9a..d63566635 100755..100644 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,9 +10,8 @@ conn %default keyexchange=ikev1 conn moon - left=%defaultroute - leftnexthop=%direct - leftsourceip=PH_IP_DAVE1 + left=%any + leftsourceip=%config leftcert=daveCert.pem leftid=dave@strongswan.org leftfirewall=yes @@ -24,7 +19,3 @@ conn moon rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - - - - diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf index 21848bc1c..07cd49899 100755..100644 --- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,10 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - left=%defaultroute - leftnexthop=%direct + left=%any leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes @@ -23,11 +17,11 @@ conn %default conn carol right=%carol.strongswan.org rightid=carol@strongswan.org - rightsubnet=PH_IP_CAROL1/32 + rightsourceip=PH_IP_CAROL1 auto=add conn dave right=%dave.strongswan.org rightid=dave@strongswan.org - rightsubnet=PH_IP_DAVE1/32 + rightsourceip=PH_IP_DAVE1 auto=add diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dynamic-two-peers/posttest.dat b/testing/tests/ikev1/dynamic-two-peers/posttest.dat index 65292daae..7b2609846 100644 --- a/testing/tests/ikev1/dynamic-two-peers/posttest.dat +++ b/testing/tests/ikev1/dynamic-two-peers/posttest.dat @@ -3,8 +3,6 @@ dave::ipsec stop moon::sleep 1 moon::ipsec stop moon::mv /etc/hosts.ori /etc/hosts -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/dynamic-two-peers/pretest.dat b/testing/tests/ikev1/dynamic-two-peers/pretest.dat index 6596a2527..4bb2a4686 100644 --- a/testing/tests/ikev1/dynamic-two-peers/pretest.dat +++ b/testing/tests/ikev1/dynamic-two-peers/pretest.dat @@ -1,8 +1,8 @@ moon::mv /etc/hosts /etc/hosts.ori moon::mv /etc/hosts.stale /etc/hosts -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev1/dynamic-two-peers/test.conf b/testing/tests/ikev1/dynamic-two-peers/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev1/dynamic-two-peers/test.conf +++ b/testing/tests/ikev1/dynamic-two-peers/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt deleted file mode 100644 index f8ffce6e6..000000000 --- a/testing/tests/ikev1/esp-ah-transport/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication. -In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall -marks all incoming AH packets with the ESP mark. The transport mode connection is -tested by <b>carol</b> sending a ping to gateway <b>moon</b>. diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat deleted file mode 100644 index 526e0d96e..000000000 --- a/testing/tests/ikev1/esp-ah-transport/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES -moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES -carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES -moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES -moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables deleted file mode 100755 index 8c8817539..000000000 --- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/init.d/iptables +++ /dev/null @@ -1,73 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow AH - iptables -A INPUT -i eth0 -p 51 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 299b6a831..000000000 --- a/testing/tests/ikev1/esp-ah-transport/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - auth=ah - ike=aes128-sha - esp=aes128-sha1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - type=transport - auto=add diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 3e8922581..000000000 --- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,76 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow AH - iptables -A INPUT -i eth0 -p 51 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 45ada023f..000000000 --- a/testing/tests/ikev1/esp-ah-transport/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - auth=ah - ike=aes128-sha - esp=aes128-sha1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - rightid=carol@strongswan.org - type=transport - auto=add diff --git a/testing/tests/ikev1/esp-ah-transport/posttest.dat b/testing/tests/ikev1/esp-ah-transport/posttest.dat deleted file mode 100644 index 94a400606..000000000 --- a/testing/tests/ikev1/esp-ah-transport/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-ah-transport/pretest.dat b/testing/tests/ikev1/esp-ah-transport/pretest.dat deleted file mode 100644 index 4fe0ee90b..000000000 --- a/testing/tests/ikev1/esp-ah-transport/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-ah-transport/test.conf b/testing/tests/ikev1/esp-ah-transport/test.conf deleted file mode 100644 index fd33cfb57..000000000 --- a/testing/tests/ikev1/esp-ah-transport/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt deleted file mode 100644 index 332f8177a..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication. -In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall -marks all incoming AH packets with the ESP mark. The tunnel mode connection is -tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind -gateway <b>moon</b>. diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat deleted file mode 100644 index 5103a6318..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES -moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES -moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES -moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables deleted file mode 100755 index 8c8817539..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/init.d/iptables +++ /dev/null @@ -1,73 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow AH - iptables -A INPUT -i eth0 -p 51 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 168e5d2a8..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - auth=ah - ike=aes128-sha - esp=aes128-sha1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 3e8922581..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,76 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow AH - iptables -A INPUT -i eth0 -p 51 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf deleted file mode 100755 index b89d8e861..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - auth=ah - ike=aes128-sha - esp=aes128-sha1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat b/testing/tests/ikev1/esp-ah-tunnel/posttest.dat deleted file mode 100644 index 94a400606..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat b/testing/tests/ikev1/esp-ah-tunnel/pretest.dat deleted file mode 100644 index 49973a7a5..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-ah-tunnel/test.conf b/testing/tests/ikev1/esp-ah-tunnel/test.conf deleted file mode 100644 index 6abbb89a9..000000000 --- a/testing/tests/ikev1/esp-ah-tunnel/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat index 9c17ae903..648920105 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat @@ -1,9 +1,11 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::AES_CCM_12_128::YES -carol::ipsec statusall::AES_CCM_12_128::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128::YES +carol::ipsec statusall 2> /dev/null::AES_CCM_12_128::YES carol::ip xfrm state::aead rfc4309(ccm(aes))::YES -moon::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf index f8baa00e1..1cef8f8c5 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutodebug="control crypt" - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d70d7b989 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf index d4f0c3adc..72163aeec 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutodebug="control crypt" - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d70d7b989 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ccm/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ccm/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-ccm/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat index c7992fbe4..c86f58081 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ctr/evaltest.dat @@ -1,9 +1,11 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES -carol::ipsec statusall::AES_CTR_256/AES_XCBC_96::YES -moon::ip xfrm state::rfc3686(ctr(aes))::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES +carol::ipsec statusall 2> /dev/null::AES_CTR_256/AES_XCBC_96::YES +moon:: ip xfrm state::rfc3686(ctr(aes))::YES carol::ip xfrm state::rfc3686(ctr(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf index acb4126cf..08ff7dab2 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutodebug="control crypt" - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e607bbae7 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf index b5baa2b5d..f712ed86d 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutodebug="control crypt" - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e607bbae7 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ctr/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ctr/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev1/esp-alg-aes-ctr/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-ctr/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat index da5d7c604..a7f52c72e 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat @@ -1,9 +1,11 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::AES_GCM_16_256::YES -carol::ipsec statusall::AES_GCM_16_256::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256::YES +carol::ipsec statusall 2> /dev/null::AES_GCM_16_256::YES carol::ip xfrm state::aead rfc4106(gcm(aes))::YES -moon::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf index 5026e0d9e..125ce919e 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutodebug="control crypt" - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..e063e446a --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf index 5fa07962e..b5821cd07 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutodebug="control crypt" - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e063e446a --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gcm/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gcm/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-gcm/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt index bc9b7c760..823ec253d 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt +++ b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only -ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac!</b> +ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-modp2048!</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat index 4678155ee..d5d3bc0d3 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat @@ -1,9 +1,11 @@ -moon::ipsec statusall::rw.*IPsec SA established::YES -carol::ipsec statusall::home.*IPsec SA established::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES -carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES +carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES carol::ip xfrm state::aead rfc4543(gcm(aes))::YES -moon::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf index 69ef8d49d..5ad63657b 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m @@ -12,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes256-sha384-modp2048! - esp=aes256gmac! + ike=aes256-sha256-modp2048! + esp=aes256gmac-modp2048! conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf index 41a583763..fba69aba3 100755..100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m @@ -12,8 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes256-sha384-modp2048! - esp=aes256gmac! + ike=aes256-sha256-modp2048! + esp=aes256gmac-modp2048! conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gmac/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gmac/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/test.conf +++ b/testing/tests/ikev1/esp-alg-aes-gmac/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt index 0c39352d9..0c39352d9 100644 --- a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/description.txt diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat new file mode 100644 index 000000000..b466813fe --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/evaltest.dat @@ -0,0 +1,11 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES +moon:: ipsec statusall 2> /dev/null::AES_CBC_256/AES_XCBC_96,::YES +carol::ip xfrm state::auth-trunc xcbc(aes)::YES +moon:: ip xfrm state::auth-trunc xcbc(aes)::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf index b4bc2101c..94eb96f38 100755..100644 --- a/testing/tests/ikev1/crl-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no conn %default ikelifetime=60m @@ -12,11 +8,13 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + ike=aes256-sha256-modp2048! + esp=aes256-aesxcbc! + +conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org - -conn home right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf index e5fed2f06..dbc468571 100755..100644 --- a/testing/tests/ikev1/esp-alg-weak/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,6 +8,8 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + ike=aes256-sha256-modp2048! + esp=aes256-aesxcbc! conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/alg-sha256-96/posttest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat index c6d6235f9..c6d6235f9 100644 --- a/testing/tests/ikev1/alg-sha256-96/posttest.dat +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/posttest.dat diff --git a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat index f5aa989fe..f5aa989fe 100644 --- a/testing/tests/ikev1/esp-alg-strict-fail/pretest.dat +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/pretest.dat diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf new file mode 100644 index 000000000..d7b71426c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aes-xcbc/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat deleted file mode 100644 index 5cee96b08..000000000 --- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES -moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES -carol::ip xfrm state::auth xcbc(aes)::YES -moon::ip xfrm state::auth xcbc(aes)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES - diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 75ce0fbbe..000000000 --- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha2_256-modp2048! - esp=aes256-aesxcbc! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf deleted file mode 100755 index c2e0a6dde..000000000 --- a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes256-sha2_256-modp2048! - esp=aes256-aesxcbc! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat deleted file mode 100644 index 7d077c126..000000000 --- a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf deleted file mode 100644 index 6abbb89a9..000000000 --- a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/esp-alg-des/description.txt b/testing/tests/ikev1/esp-alg-des/description.txt deleted file mode 100644 index 9546569dd..000000000 --- a/testing/tests/ikev1/esp-alg-des/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must -explicitly accept the choice of this insecure algorithm by setting the strict -flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b> -sending a ping to client <b>alice</b> behind gateway <b>moon</b>. diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat deleted file mode 100644 index 8e42707a2..000000000 --- a/testing/tests/ikev1/esp-alg-des/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES -carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES -moon::ip xfrm state::enc cbc(des)::YES -carol::ip xfrm state::enc cbc(des)::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf deleted file mode 100755 index a5715a7f1..000000000 --- a/testing/tests/ikev1/esp-alg-des/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-md5-modp1024! - esp=des-md5! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 0329a533d..000000000 --- a/testing/tests/ikev1/esp-alg-des/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-md5-modp1024! - esp=des-md5! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-des/posttest.dat b/testing/tests/ikev1/esp-alg-des/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/esp-alg-des/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-des/pretest.dat b/testing/tests/ikev1/esp-alg-des/pretest.dat deleted file mode 100644 index 7d077c126..000000000 --- a/testing/tests/ikev1/esp-alg-des/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-des/test.conf b/testing/tests/ikev1/esp-alg-des/test.conf deleted file mode 100644 index 6abbb89a9..000000000 --- a/testing/tests/ikev1/esp-alg-des/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/esp-alg-null/description.txt b/testing/tests/ikev1/esp-alg-null/description.txt index 7880a799c..8fd203098 100644 --- a/testing/tests/ikev1/esp-alg-null/description.txt +++ b/testing/tests/ikev1/esp-alg-null/description.txt @@ -1,5 +1,3 @@ -In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must -explicitly accept the choice of this insecure algorithm by setting the strict -flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b> -sending a ping to client <b>alice</b> behind gateway <b>moon</b>. +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>NULL / HMAC_SHA1_96</b> by defining <b>esp=null-sha1</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat index a259e6d09..1b9c6c27e 100644 --- a/testing/tests/ikev1/esp-alg-null/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat @@ -1,9 +1,11 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES -carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES -moon::ip xfrm state::enc ecb(cipher_null)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES +carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES +moon:: ip xfrm state::enc ecb(cipher_null)::YES carol::ip xfrm state::enc ecb(cipher_null)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf index fe76579ac..cd93d795f 100755..100644 --- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes-sha1 + ike=aes128-sha1-modp2048! esp=null-sha1! conn home left=PH_IP_CAROL + leftfirewall=yes leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - auto=add + auto=add diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf index b768b8ee4..2e9b8de65 100755..100644 --- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes-sha1! + ike=aes128-sha1-modp2048! esp=null-sha1! conn rw left=PH_IP_MOON + leftfirewall=yes leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 right=%any - rightid=carol@strongswan.org auto=add diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/esp-alg-null/posttest.dat b/testing/tests/ikev1/esp-alg-null/posttest.dat index c6d6235f9..046d4cfdc 100644 --- a/testing/tests/ikev1/esp-alg-null/posttest.dat +++ b/testing/tests/ikev1/esp-alg-null/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/esp-alg-null/pretest.dat b/testing/tests/ikev1/esp-alg-null/pretest.dat index 7d077c126..886fdf55c 100644 --- a/testing/tests/ikev1/esp-alg-null/pretest.dat +++ b/testing/tests/ikev1/esp-alg-null/pretest.dat @@ -1,5 +1,7 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start -carol::sleep 2 +carol::ipsec start +carol::sleep 1 carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/esp-alg-null/test.conf b/testing/tests/ikev1/esp-alg-null/test.conf index 6abbb89a9..4a5fc470f 100644 --- a/testing/tests/ikev1/esp-alg-null/test.conf +++ b/testing/tests/ikev1/esp-alg-null/test.conf @@ -1,22 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt deleted file mode 100644 index 252080e80..000000000 --- a/testing/tests/ikev1/esp-alg-strict-fail/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication -as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines -<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer, -leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces -<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat deleted file mode 100644 index 83d99bea1..000000000 --- a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES -carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES -moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES -moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO -moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES -moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 46a619016..000000000 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-sha1 - esp=3des-sha1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 86a15c96d..000000000 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha1 - esp=aes128-sha1! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat b/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/esp-alg-strict-fail/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-strict-fail/test.conf b/testing/tests/ikev1/esp-alg-strict-fail/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/esp-alg-strict-fail/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt deleted file mode 100644 index 149a1e013..000000000 --- a/testing/tests/ikev1/esp-alg-strict/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with -HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in -second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines -<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed -by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces -<b>esp=aes128-sha1!</b> by applying the strict flag '!'. - diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat deleted file mode 100644 index 912a8d830..000000000 --- a/testing/tests/ikev1/esp-alg-strict/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES -moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES -moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES -carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES -carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 052541b21..000000000 --- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-sha,aes128-sha1 - esp=3des-sha1,aes128-sha1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 86a15c96d..000000000 --- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha1 - esp=aes128-sha1! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-strict/posttest.dat b/testing/tests/ikev1/esp-alg-strict/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/esp-alg-strict/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-strict/pretest.dat b/testing/tests/ikev1/esp-alg-strict/pretest.dat deleted file mode 100644 index f5aa989fe..000000000 --- a/testing/tests/ikev1/esp-alg-strict/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-strict/test.conf b/testing/tests/ikev1/esp-alg-strict/test.conf deleted file mode 100644 index a6c8f026c..000000000 --- a/testing/tests/ikev1/esp-alg-strict/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt deleted file mode 100644 index e49b6c620..000000000 --- a/testing/tests/ikev1/esp-alg-weak/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication -as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does -not use an explicit <b>esp</b> statement any strong encryption algorithm will be -accepted but any weak key length will be rejected by default and thus the ISAKMP SA -is bound to fail. diff --git a/testing/tests/ikev1/esp-alg-weak/evaltest.dat b/testing/tests/ikev1/esp-alg-weak/evaltest.dat deleted file mode 100644 index 72b14e805..000000000 --- a/testing/tests/ikev1/esp-alg-weak/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO -moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES -moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf deleted file mode 100755 index a5715a7f1..000000000 --- a/testing/tests/ikev1/esp-alg-weak/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-md5-modp1024! - esp=des-md5! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/esp-alg-weak/posttest.dat b/testing/tests/ikev1/esp-alg-weak/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/esp-alg-weak/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-weak/pretest.dat b/testing/tests/ikev1/esp-alg-weak/pretest.dat deleted file mode 100644 index 7d077c126..000000000 --- a/testing/tests/ikev1/esp-alg-weak/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-weak/test.conf b/testing/tests/ikev1/esp-alg-weak/test.conf deleted file mode 100644 index a6c8f026c..000000000 --- a/testing/tests/ikev1/esp-alg-weak/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/host2host-cert/evaltest.dat b/testing/tests/ikev1/host2host-cert/evaltest.dat index d19f970f2..3305f4558 100644 --- a/testing/tests/ikev1/host2host-cert/evaltest.dat +++ b/testing/tests/ikev1/host2host-cert/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..1b860a2a9 --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf index 95739fe51..0ee8ea5a3 100755..100644 --- a/testing/tests/ikev1/host2host-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,10 +10,10 @@ conn %default keyexchange=ikev1 conn host-host - right=PH_IP_MOON - rightcert=moonCert.pem - rightid=@moon.strongswan.org - rightfirewall=yes left=PH_IP_SUN + leftcert=sunCert.pem leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org auto=add diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/host2host-cert/posttest.dat b/testing/tests/ikev1/host2host-cert/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev1/host2host-cert/posttest.dat +++ b/testing/tests/ikev1/host2host-cert/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/host2host-cert/pretest.dat b/testing/tests/ikev1/host2host-cert/pretest.dat index 3536fd886..3bce9f6e5 100644 --- a/testing/tests/ikev1/host2host-cert/pretest.dat +++ b/testing/tests/ikev1/host2host-cert/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::sleep 1 moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-cert/test.conf b/testing/tests/ikev1/host2host-cert/test.conf index cf2e704fd..55d6e9fd6 100644 --- a/testing/tests/ikev1/host2host-cert/test.conf +++ b/testing/tests/ikev1/host2host-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon winnetou sun" - +VIRTHOSTS="moon winnetou sun" + # Corresponding block diagram # DIAGRAM="m-w-s.png" - -# UML instances on which tcpdump is to be started + +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/host2host-swapped/description.txt b/testing/tests/ikev1/host2host-swapped/description.txt deleted file mode 100644 index 34cfe43cc..000000000 --- a/testing/tests/ikev1/host2host-swapped/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with -swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas -<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/ikev1/host2host-swapped/evaltest.dat b/testing/tests/ikev1/host2host-swapped/evaltest.dat deleted file mode 100644 index d19f970f2..000000000 --- a/testing/tests/ikev1/host2host-swapped/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf deleted file mode 100755 index a0d600a6f..000000000 --- a/testing/tests/ikev1/host2host-swapped/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn host-host - right=PH_IP_SUN - rightcert=sunCert.pem - rightfirewall=yes - rightid=@sun.strongswan.org - left=PH_IP_MOON - leftid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/host2host-swapped/posttest.dat b/testing/tests/ikev1/host2host-swapped/posttest.dat deleted file mode 100644 index 5a9150bc8..000000000 --- a/testing/tests/ikev1/host2host-swapped/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/host2host-swapped/pretest.dat b/testing/tests/ikev1/host2host-swapped/pretest.dat deleted file mode 100644 index e2d98f2eb..000000000 --- a/testing/tests/ikev1/host2host-swapped/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -sun::ipsec start -moon::sleep 2 -moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-swapped/test.conf b/testing/tests/ikev1/host2host-swapped/test.conf deleted file mode 100644 index cf2e704fd..000000000 --- a/testing/tests/ikev1/host2host-swapped/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon winnetou sun" - -# Corresponding block diagram -# -DIAGRAM="m-w-s.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/host2host-transport/evaltest.dat b/testing/tests/ikev1/host2host-transport/evaltest.dat index 04c0eb3a2..fc49e57d8 100644 --- a/testing/tests/ikev1/host2host-transport/evaltest.dat +++ b/testing/tests/ikev1/host2host-transport/evaltest.dat @@ -1,7 +1,7 @@ -moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ip xfrm state::mode transport::YES -sun::ip xfrm state::mode transport::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf index b56189c6c..a860a6946 100755..100644 --- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf index 1f2ade20b..cc70f454f 100755..100644 --- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -22,4 +18,3 @@ conn host-host rightid=@moon.strongswan.org type=transport auto=add - diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/host2host-transport/posttest.dat b/testing/tests/ikev1/host2host-transport/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev1/host2host-transport/posttest.dat +++ b/testing/tests/ikev1/host2host-transport/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/host2host-transport/pretest.dat b/testing/tests/ikev1/host2host-transport/pretest.dat index e2d98f2eb..99789b90f 100644 --- a/testing/tests/ikev1/host2host-transport/pretest.dat +++ b/testing/tests/ikev1/host2host-transport/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 2 diff --git a/testing/tests/ikev1/host2host-transport/test.conf b/testing/tests/ikev1/host2host-transport/test.conf index cf2e704fd..5a286c84f 100644 --- a/testing/tests/ikev1/host2host-transport/test.conf +++ b/testing/tests/ikev1/host2host-transport/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon winnetou sun" +VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt deleted file mode 100644 index 252080e80..000000000 --- a/testing/tests/ikev1/ike-alg-strict-fail/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication -as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines -<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer, -leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces -<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat deleted file mode 100644 index 0c6bc7f7e..000000000 --- a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO -moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO -carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES -moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES -moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf deleted file mode 100755 index d75a7022e..000000000 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-sha1 - esp=3des-sha1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 460ff749c..000000000 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha1! - esp=aes128-sha1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat b/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/ike-alg-strict-fail/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat b/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat deleted file mode 100644 index f5aa989fe..000000000 --- a/testing/tests/ikev1/ike-alg-strict-fail/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/ike-alg-strict-fail/test.conf b/testing/tests/ikev1/ike-alg-strict-fail/test.conf deleted file mode 100644 index 7e7848831..000000000 --- a/testing/tests/ikev1/ike-alg-strict-fail/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -##!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt deleted file mode 100644 index af93b95c3..000000000 --- a/testing/tests/ikev1/ike-alg-strict/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place -and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA. -The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!', -but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b> -defines itself <b>esp=aes128-sha1</b> only. diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat deleted file mode 100644 index 8acd0d039..000000000 --- a/testing/tests/ikev1/ike-alg-strict/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES -moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES -moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES -carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES -carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 36bdc0fa4..000000000 --- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=3des-sha1,aes128-sha1 - esp=3des-sha1,aes128-sha1 -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 460ff749c..000000000 --- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - ike=aes128-sha1! - esp=aes128-sha1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/ike-alg-strict/posttest.dat b/testing/tests/ikev1/ike-alg-strict/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/ike-alg-strict/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/ike-alg-strict/pretest.dat b/testing/tests/ikev1/ike-alg-strict/pretest.dat deleted file mode 100644 index f5aa989fe..000000000 --- a/testing/tests/ikev1/ike-alg-strict/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/ike-alg-strict/test.conf b/testing/tests/ikev1/ike-alg-strict/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/ike-alg-strict/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/ip-pool-db-push/description.txt b/testing/tests/ikev1/ip-pool-db-push/description.txt deleted file mode 100644 index dc510e21a..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. -Using Mode Config push mode (<b>modeconfig=push</b>) the gateway <b>moon</b> assigns virtual -IP addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command -<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0</b>. diff --git a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat deleted file mode 100644 index 9a5c5c7ee..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat +++ /dev/null @@ -1,30 +0,0 @@ -carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES -carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES -carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES -carol::ip addr list dev eth0::PH_IP_CAROL1::YES -carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status::home.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::cat /var/log/auth.log::starting ModeCfg server in push mode::YES -moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES -moon::cat /var/log/auth.log::assigning virtual IP::YES -moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES -moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES -moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES -moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon::ipsec status::rw.*IPsec SA established::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 56f13324a..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 56f13324a..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf deleted file mode 100755 index c365004bf..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - rekey=no - keyexchange=ikev1 - modeconfig=push - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - rightsourceip=%bigpool - auto=add diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 630135adc..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink -} - -libhydra { - plugins { - attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db - } - } -} - -pool { - load = sqlite -} diff --git a/testing/tests/ikev1/ip-pool-db-push/posttest.dat b/testing/tests/ikev1/ip-pool-db-push/posttest.dat deleted file mode 100644 index 5022c6cf1..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/posttest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 -moon::ipsec pool --del bigpool 2> /dev/null -moon::ipsec pool --del dns 2> /dev/null -moon::ipsec pool --del nbns 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev1/ip-pool-db-push/pretest.dat b/testing/tests/ikev1/ip-pool-db-push/pretest.dat deleted file mode 100644 index 4a2add194..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/pretest.dat +++ /dev/null @@ -1,16 +0,0 @@ -moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null -moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null -moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/ip-pool-db-push/test.conf b/testing/tests/ikev1/ip-pool-db-push/test.conf deleted file mode 100644 index 1a8f2a4e0..000000000 --- a/testing/tests/ikev1/ip-pool-db-push/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat index 566bab972..42e353084 100644 --- a/testing/tests/ikev1/ip-pool-db/evaltest.dat +++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat @@ -1,25 +1,33 @@ -carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES -carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES -carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status::home.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::cat /var/log/auth.log::peer requested virtual IP %any::YES -moon::cat /var/log/auth.log::acquired new lease for address.*in pool.*bigpool::YES -moon::cat /var/log/auth.log::assigning virtual IP::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon::ipsec status::rw.*IPsec SA established::YES +moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf index 0c770de9f..5a77f8707 100755..100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf index 56f13324a..bd19ffe3d 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf index 163c19516..6ea2d2bb1 100755..100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf index 56f13324a..bd19ffe3d 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf index 0cefb7ab0..47014a869 100755..100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/ipsec.conf @@ -1,17 +1,12 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - rekey=no keyexchange=ikev1 conn rw diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf index 630135adc..04ffaf64d 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown } libhydra { diff --git a/testing/tests/ikev1/ip-pool-db/posttest.dat b/testing/tests/ikev1/ip-pool-db/posttest.dat index 5022c6cf1..c99f347e3 100644 --- a/testing/tests/ikev1/ip-pool-db/posttest.dat +++ b/testing/tests/ikev1/ip-pool-db/posttest.dat @@ -1,11 +1,9 @@ -moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush moon::ipsec pool --del bigpool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat index 190672652..fce551c69 100644 --- a/testing/tests/ikev1/ip-pool-db/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db/pretest.dat @@ -4,10 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --statusattr -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev1/ip-pool-db/test.conf b/testing/tests/ikev1/ip-pool-db/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev1/ip-pool-db/test.conf +++ b/testing/tests/ikev1/ip-pool-db/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/ip-pool/evaltest.dat b/testing/tests/ikev1/ip-pool/evaltest.dat index f67ab321b..1fdc3f087 100644 --- a/testing/tests/ikev1/ip-pool/evaltest.dat +++ b/testing/tests/ikev1/ip-pool/evaltest.dat @@ -1,21 +1,25 @@ -carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status::home.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::cat /var/log/auth.log::adding virtual IP address pool::YES -moon::cat /var/log/auth.log::peer requested virtual IP %any::YES -moon::cat /var/log/auth.log::assigning virtual IP::YES -moon::ipsec leases rw::2/15, 2 online::YES -moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES -moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES -moon::ipsec statusall::rw.*carol@strongswan.org.*erouted::YES -moon::ipsec statusall::rw.*dave@strongswan.org.*erouted::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES +moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES +moon:: ipsec leases 10.3.0.0/28 10.3.0.2 2> /dev/null::dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf index 0c770de9f..5a77f8707 100755..100644 --- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf index 4c40f76cc..dc937641c 100644 --- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf index 163c19516..6ea2d2bb1 100755..100644 --- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf index 4c40f76cc..dc937641c 100644 --- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf index ddedd7e7b..c48172923 100755..100644 --- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf index 4c40f76cc..dc937641c 100644 --- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/ip-pool/posttest.dat b/testing/tests/ikev1/ip-pool/posttest.dat index a68e84cbd..b757d8b15 100644 --- a/testing/tests/ikev1/ip-pool/posttest.dat +++ b/testing/tests/ikev1/ip-pool/posttest.dat @@ -1,8 +1,6 @@ -moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del 10.3.0.1/32 dev eth0 -dave::ip addr del 10.3.0.2/32 dev eth0 +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/ip-pool/pretest.dat b/testing/tests/ikev1/ip-pool/pretest.dat index 014e80517..3864bdac3 100644 --- a/testing/tests/ikev1/ip-pool/pretest.dat +++ b/testing/tests/ikev1/ip-pool/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev1/ip-pool/test.conf b/testing/tests/ikev1/ip-pool/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev1/ip-pool/test.conf +++ b/testing/tests/ikev1/ip-pool/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/ip-two-pools-mixed/description.txt b/testing/tests/ikev1/ip-two-pools-mixed/description.txt deleted file mode 100644 index 3869ced0a..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>. -Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the -<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP -addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting -to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from an SQLite-based pool -named <b>intpool</b> [10.4.0.1..10.4.1.244] to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface. -<p> -Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and -both ping the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat deleted file mode 100644 index f237ce53f..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/evaltest.dat +++ /dev/null @@ -1,17 +0,0 @@ -carol::ipsec status::home.*IPsec SA established::YES -alice::ipsec status::home.*IPsec SA established::YES -moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES -moon::ipsec status::int.*alice@strongswan.org.*erouted::YES -moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES -moon::ipsec leases ext::1/15, 1 online::YES -moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES -moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES -moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES -carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES -alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES -alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 97b773645..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf deleted file mode 100755 index e8077b22a..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=%defaultroute - leftsourceip=%config - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_MOON1 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 4c40f76cc..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 99a8c60ff..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftsourceip=%config - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4c40f76cc..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables deleted file mode 100755 index bb9d03acd..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # masquerade crl fetches to winnetou - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf deleted file mode 100755 index e844ba989..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - -conn int - left=PH_IP_MOON1 - rightsourceip=%intpool - auto=add - -conn ext - left=PH_IP_MOON - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 630135adc..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl sqlite attr-sql kernel-netlink -} - -libhydra { - plugins { - attr-sql { - database = sqlite:///etc/ipsec.d/ipsec.db - } - } -} - -pool { - load = sqlite -} diff --git a/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat deleted file mode 100644 index 74e3cf2c0..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/posttest.dat +++ /dev/null @@ -1,13 +0,0 @@ -carol::ipsec stop -alice::ipsec stop -moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -alice::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del 10.3.0.1/32 dev eth0 -alice::ip addr del 10.4.0.1/32 dev eth0 -moon::ip route del 10.3.0.0/16 via PH_IP_MOON -moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 -moon::conntrack -F -moon::ipsec pool --del intpool 2> /dev/null -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat deleted file mode 100644 index 21e28ce0c..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql -moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db -moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null -moon::ip route add 10.3.0.0/16 via PH_IP_MOON -moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -moon::ipsec start -alice::ipsec start -carol::sleep 2 -carol::ipsec up home -alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev1/ip-two-pools-mixed/test.conf b/testing/tests/ikev1/ip-two-pools-mixed/test.conf deleted file mode 100644 index 329774c0a..000000000 --- a/testing/tests/ikev1/ip-two-pools-mixed/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="alice carol" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice moon carol" diff --git a/testing/tests/ikev1/ip-two-pools/description.txt b/testing/tests/ikev1/ip-two-pools/description.txt deleted file mode 100644 index 33a5187c5..000000000 --- a/testing/tests/ikev1/ip-two-pools/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The hosts <b>alice</b> and <b>carol</b> set up a tunnel connection each to gateway <b>moon</b>. -Both hosts request a <b>virtual IP</b> via the IKEv1 Mode Config payload by using the -<b>leftsourceip=%config</b> parameter. Gateway <b>moon</b> assigns virtual IP -addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> to hosts connecting -to the <b>eth0</b> (PH_IP_MOON) interface and virtual IP addresses from a simple pool defined -by <b>rightsourceip=10.4.0.0/28</b> to hosts connecting to the <b>eth1</b> (PH_IP_MOON1) interface. -<p> -Thus <b>carol</b> is assigned <b>PH_IP_CAROL1</b> whereas <b>alice</b> gets <b>10.4.0.1</b> and -both ping the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/ip-two-pools/evaltest.dat b/testing/tests/ikev1/ip-two-pools/evaltest.dat deleted file mode 100644 index 2f19a77ba..000000000 --- a/testing/tests/ikev1/ip-two-pools/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::ipsec status::home.*IPsec SA established::YES -alice::ipsec status::home.*IPsec SA established::YES -moon::ipsec status::ext.*carol@strongswan.org.*erouted::YES -moon::ipsec status::int.*alice@strongswan.org.*erouted::YES -moon::cat /var/log/auth.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES -moon::cat /var/log/auth.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES -moon::ipsec leases ext::1/15, 1 online::YES -moon::ipsec leases int::1/15, 1 online::YES -moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES -moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES -carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES -alice::cat /var/log/auth.log::setting virtual IP source address to 10.4.0.1::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES -alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 97b773645..000000000 --- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf deleted file mode 100755 index e8077b22a..000000000 --- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=%defaultroute - leftsourceip=%config - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_MOON1 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 4c40f76cc..000000000 --- a/testing/tests/ikev1/ip-two-pools/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 4c40f76cc..000000000 --- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables deleted file mode 100755 index bb9d03acd..000000000 --- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # masquerade crl fetches to winnetou - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 4771e26d6..000000000 --- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - -conn int - left=PH_IP_MOON1 - rightsourceip=10.4.0.0/28 - auto=add - -conn ext - left=PH_IP_MOON - rightsourceip=10.3.0.0/28 - auto=add diff --git a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4c40f76cc..000000000 --- a/testing/tests/ikev1/ip-two-pools/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/ip-two-pools/posttest.dat b/testing/tests/ikev1/ip-two-pools/posttest.dat deleted file mode 100644 index 4474e5ade..000000000 --- a/testing/tests/ikev1/ip-two-pools/posttest.dat +++ /dev/null @@ -1,12 +0,0 @@ -alice::ipsec stop -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -alice::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del 10.3.0.1/32 dev eth0 -alice::ip addr del 10.4.0.1/32 dev eth0 -moon::ip route del 10.3.0.0/16 via 192.168.0.1 -moon::ip route del 10.4.0.0/16 via 10.1.0.1 -moon::conntrack -F -moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev1/ip-two-pools/pretest.dat b/testing/tests/ikev1/ip-two-pools/pretest.dat deleted file mode 100644 index 8091a6ed2..000000000 --- a/testing/tests/ikev1/ip-two-pools/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::ip route add 10.3.0.0/16 via 192.168.0.1 -moon::ip route add 10.4.0.0/16 via 10.1.0.1 -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -moon::ipsec start -alice::ipsec start -carol::sleep 2 -carol::ipsec up home -alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev1/ip-two-pools/test.conf b/testing/tests/ikev1/ip-two-pools/test.conf deleted file mode 100644 index 329774c0a..000000000 --- a/testing/tests/ikev1/ip-two-pools/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="alice carol" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice moon carol" diff --git a/testing/tests/ikev1/mode-config-multiple/description.txt b/testing/tests/ikev1/mode-config-multiple/description.txt deleted file mode 100644 index 6be00e744..000000000 --- a/testing/tests/ikev1/mode-config-multiple/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. -Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol -by using the <b>leftsourceip=%modeconfig</b> parameter. After setting up an IPsec SA to reach -the hosts <b>alice</b> and <b>venus</b>, respectively, both roadwarriors set up a second -IPsec SA to <b>venus</b> and <b>alice</b>, respectively, inheriting the virtual IP address -from the previous Mode Config negotiation. diff --git a/testing/tests/ikev1/mode-config-multiple/evaltest.dat b/testing/tests/ikev1/mode-config-multiple/evaltest.dat deleted file mode 100644 index 735345315..000000000 --- a/testing/tests/ikev1/mode-config-multiple/evaltest.dat +++ /dev/null @@ -1,29 +0,0 @@ -carol::cat /var/log/auth.log::alice.*setting virtual IP source address to PH_IP_CAROL1::YES -carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES -carol::cat /var/log/auth.log::venus.*inheriting virtual IP source address PH_IP_CAROL1 from ModeCfg::YES -carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::cat /var/log/auth.log::venus.*setting virtual IP source address to PH_IP_DAVE1::YES -dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES -dave::cat /var/log/auth.log::alice.*inheriting virtual IP source address PH_IP_DAVE1 from ModeCfg::YES -dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::carol-alice.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::carol-venus.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::dave-venus.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::dave-alice.*STATE_QUICK_R2.*IPsec SA established::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES -venus::tcpdump::IP carol1.strongswan.org > venus.strongswan.org: ICMP echo request::YES -venus::tcpdump::IP venus.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -venus::tcpdump::IP dave1.strongswan.org > venus.strongswan.org: ICMP echo request::YES -venus::tcpdump::IP venus.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES - diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 3d6addb62..000000000 --- a/testing/tests/ikev1/mode-config-multiple/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn alice - also=home - rightsubnet=10.1.0.10/32 - auto=add - -conn venus - also=home - rightsubnet=10.1.0.20/32 - auto=add - -conn home - left=192.168.0.100 - leftsourceip=%modeconfig - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=192.168.0.1 - rightid=@moon.strongswan.org diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 0b93eb58f..000000000 --- a/testing/tests/ikev1/mode-config-multiple/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn alice - also=home - rightsubnet=10.1.0.10/32 - auto=add - -conn venus - also=home - rightsubnet=10.1.0.20/32 - auto=add - -conn home - left=PH_IP_DAVE - leftsourceip=%modeconfig - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 7f5bb812f..000000000 --- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,52 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=192.168.0.1 - leftsourceip=10.1.0.1 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn carol-alice - also=carol - leftsubnet=10.1.0.10/32 - rightsourceip=10.3.0.1 - auto=add - -conn carol-venus - also=carol - leftsubnet=10.1.0.20/32 - rightsourceip=%carol-alice - auto=add - -conn carol - right=%any - rightid=carol@strongswan.org - -conn dave-alice - also=dave - leftsubnet=10.1.0.10/32 - rightsourceip=10.3.0.2 - auto=add - -conn dave-venus - also=dave - leftsubnet=10.1.0.20/32 - rightsourceip=%dave-alice - auto=add - -conn dave - right=%any - rightid=dave@strongswan.org - diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf deleted file mode 100644 index fb989daff..000000000 --- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink - dns1 = PH_IP_WINNETOU - dns2 = PH_IP6_VENUS -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/mode-config-multiple/posttest.dat b/testing/tests/ikev1/mode-config-multiple/posttest.dat deleted file mode 100644 index 42fa8359b..000000000 --- a/testing/tests/ikev1/mode-config-multiple/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/mode-config-multiple/pretest.dat b/testing/tests/ikev1/mode-config-multiple/pretest.dat deleted file mode 100644 index 63f52e274..000000000 --- a/testing/tests/ikev1/mode-config-multiple/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up alice -carol::ipsec up venus -dave::ipsec up venus -dave::ipsec up alice -carol::sleep 1 diff --git a/testing/tests/ikev1/mode-config-multiple/test.conf b/testing/tests/ikev1/mode-config-multiple/test.conf deleted file mode 100644 index d8fa5162d..000000000 --- a/testing/tests/ikev1/mode-config-multiple/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice venus" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/mode-config-push/description.txt b/testing/tests/ikev1/mode-config-push/description.txt deleted file mode 100644 index 387c3b409..000000000 --- a/testing/tests/ikev1/mode-config-push/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. -Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol -by using the <b>leftsourceip=%modeconfig</b> parameter. By setting the option <b>modeconfig=push</b> -on both the roadwarriors and the gateway, the Mode Config server <b>moon</b> will actively push -the configuration down to <b>carol</b> and <b>dave</b>. -<p> -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the -tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client -<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will -be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev1/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat deleted file mode 100644 index 3135a18fb..000000000 --- a/testing/tests/ikev1/mode-config-push/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 64c97eb16..000000000 --- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - rekey=no - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftsourceip=%modeconfig - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - modeconfig=push - auto=add - - - - diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 56f13324a..000000000 --- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf deleted file mode 100755 index ba47559a0..000000000 --- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_DAVE - leftsourceip=%modeconfig - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - modeconfig=push - auto=add - - - - diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 56f13324a..000000000 --- a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 8b125ab80..000000000 --- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - modeconfig=push - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn rw-carol - right=%any - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - auto=add - -conn rw-dave - right=%any - rightid=dave@strongswan.org - rightsourceip=PH_IP_DAVE1 - auto=add diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8d952d21..000000000 --- a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink - dns1 = PH_IP_WINNETOU - dns2 = PH_IP_VENUS -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/mode-config-push/posttest.dat b/testing/tests/ikev1/mode-config-push/posttest.dat deleted file mode 100644 index 42fa8359b..000000000 --- a/testing/tests/ikev1/mode-config-push/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/mode-config-push/pretest.dat b/testing/tests/ikev1/mode-config-push/pretest.dat deleted file mode 100644 index bb222992e..000000000 --- a/testing/tests/ikev1/mode-config-push/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/mode-config-push/test.conf b/testing/tests/ikev1/mode-config-push/test.conf deleted file mode 100644 index 1a8f2a4e0..000000000 --- a/testing/tests/ikev1/mode-config-push/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/mode-config-swapped/description.txt b/testing/tests/ikev1/mode-config-swapped/description.txt deleted file mode 100644 index e29e6f654..000000000 --- a/testing/tests/ikev1/mode-config-swapped/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with -swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas -<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/ikev1/mode-config-swapped/evaltest.dat b/testing/tests/ikev1/mode-config-swapped/evaltest.dat deleted file mode 100644 index 9d60cf7b0..000000000 --- a/testing/tests/ikev1/mode-config-swapped/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 4cea3d81b..000000000 --- a/testing/tests/ikev1/mode-config-swapped/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - right=PH_IP_CAROL - rightsourceip=%modeconfig - rightcert=carolCert.pem - rightid=carol@strongswan.org - rightfirewall=yes - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - auto=add - - - - diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf deleted file mode 100755 index cf96ddeca..000000000 --- a/testing/tests/ikev1/mode-config-swapped/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - right=PH_IP_DAVE - rightsourceip=%modeconfig - rightcert=daveCert.pem - rightid=dave@strongswan.org - rightfirewall=yes - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - auto=add - - - - diff --git a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf deleted file mode 100755 index b01f5b112..000000000 --- a/testing/tests/ikev1/mode-config-swapped/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,32 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightsourceip=PH_IP_MOON1 - rightcert=moonCert.pem - rightid=@moon.strongswan.org - rightfirewall=yes - -conn rw-carol - left=%any - leftid=carol@strongswan.org - leftsourceip=PH_IP_CAROL1 - auto=add - -conn rw-dave - left=%any - leftid=dave@strongswan.org - leftsourceip=PH_IP_DAVE1 - auto=add diff --git a/testing/tests/ikev1/mode-config-swapped/posttest.dat b/testing/tests/ikev1/mode-config-swapped/posttest.dat deleted file mode 100644 index 42fa8359b..000000000 --- a/testing/tests/ikev1/mode-config-swapped/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/mode-config-swapped/pretest.dat b/testing/tests/ikev1/mode-config-swapped/pretest.dat deleted file mode 100644 index 1e45f00fd..000000000 --- a/testing/tests/ikev1/mode-config-swapped/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home diff --git a/testing/tests/ikev1/mode-config-swapped/test.conf b/testing/tests/ikev1/mode-config-swapped/test.conf deleted file mode 100644 index 1a8f2a4e0..000000000 --- a/testing/tests/ikev1/mode-config-swapped/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat deleted file mode 100644 index 7355a0560..000000000 --- a/testing/tests/ikev1/mode-config/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES -carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9c75434c2..000000000 --- a/testing/tests/ikev1/mode-config/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftsourceip=%modeconfig - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add - - - - diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 56f13324a..000000000 --- a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 56f13324a..000000000 --- a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8d952d21..000000000 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr kernel-netlink - dns1 = PH_IP_WINNETOU - dns2 = PH_IP_VENUS -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/mode-config/posttest.dat b/testing/tests/ikev1/mode-config/posttest.dat deleted file mode 100644 index 42fa8359b..000000000 --- a/testing/tests/ikev1/mode-config/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/mode-config/pretest.dat b/testing/tests/ikev1/mode-config/pretest.dat deleted file mode 100644 index bb222992e..000000000 --- a/testing/tests/ikev1/mode-config/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/mode-config/test.conf b/testing/tests/ikev1/mode-config/test.conf deleted file mode 100644 index 1a8f2a4e0..000000000 --- a/testing/tests/ikev1/mode-config/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/description.txt b/testing/tests/ikev1/multi-level-ca-cr-init/description.txt new file mode 100644 index 000000000..602d026c2 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/description.txt @@ -0,0 +1,6 @@ +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Initiator <b>moon</b> does not possess +copies of the Research and Sales CA certificates and must therefore request them from +the responders <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat new file mode 100644 index 000000000..03426ac44 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf index 39a1aa825..73e17062d 100755..100644 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,13 @@ conn %default keyingtries=1 keyexchange=ikev1 -conn home +conn alice left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + rightsubnet=PH_IP_ALICE/32 auto=add - diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem index d53365f78..d53365f78 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..69e5c05e3 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..53e18680b 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.d/private/carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets index fac55d63b..fac55d63b 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf index ce3903596..7140befe6 100755..100644 --- a/testing/tests/ikev1/attr-cert/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,21 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + +conn venus left=PH_IP_DAVE leftcert=daveCert.pem leftid=dave@strongswan.org + leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" rightsubnet=PH_IP_VENUS/32 auto=add - - - - - diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem index a10a18cba..a10a18cba 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..91df37a81 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/certs/daveCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..86740e86a 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/ipsec.d/private/daveKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf index 0b9917b53..25716969f 100755..100644 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no ca strongswan cacert=strongswanCert.pem @@ -19,10 +15,19 @@ conn %default keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem + leftsendcert=ifasked leftid=@moon.strongswan.org conn alice leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + right=PH_IP_CAROL + rightid=carol@strongswan.org + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=PH_IP_DAVE + rightid=dave@strongswan.org + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat new file mode 100644 index 000000000..24cd041ed --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat new file mode 100644 index 000000000..2eebc0f84 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/pretest.dat @@ -0,0 +1,6 @@ +carol::ipsec start +dave::ipsec start +moon::ipsec start +moon::sleep 2 +moon::ipsec up alice +moon::ipsec up venus diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/test.conf b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf new file mode 100644 index 000000000..9bb88d79f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-init/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt new file mode 100644 index 000000000..06f9f6b91 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/description.txt @@ -0,0 +1,6 @@ +The VPN gateway <b>moon</b> grants access to the hosts <b>alice</b> and +<b>venus</b> to anyone presenting a certificate belonging to a trust chain anchored +in the strongSwan Root CA. The hosts <b>carol</b> and <b>dave</b> have certificates from +the intermediate Research CA and Sales CA, respectively. Responder <b>moon</b> does not possess +copies of the Research and Sales CA certificates and must therefore request them from +the initiators <b>carol</b> and <b>dave</b>, respectively. diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat new file mode 100644 index 000000000..dcd271772 --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf index 4d42b1419..96da6db1e 100755..100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,14 +10,11 @@ conn %default keyexchange=ikev1 left=PH_IP_CAROL leftcert=carolCert.pem + leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 auto=add - - - - - diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem index d53365f78..d53365f78 100644 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/cacerts/researchCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem index 69e5c05e3..69e5c05e3 100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/certs/carolCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem index 53e18680b..53e18680b 100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.d/private/carolKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets index fac55d63b..fac55d63b 100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf index 5f04445d2..bafec31f4 100755..100644 --- a/testing/tests/ikev1/wildcards/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -14,18 +10,11 @@ conn %default keyexchange=ikev1 left=PH_IP_DAVE leftcert=daveCert.pem + leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - conn venus rightsubnet=PH_IP_VENUS/32 auto=add - - - - - diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem index a10a18cba..a10a18cba 100644 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/cacerts/salesCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem index 91df37a81..91df37a81 100644 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/certs/daveCert.pem diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem index 86740e86a..86740e86a 100644 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.d/private/daveKey.pem diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf index f79c501a8..7bae1ab0f 100755..100644 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no ca strongswan cacert=strongswanCert.pem @@ -19,17 +15,17 @@ conn %default keyexchange=ikev1 left=PH_IP_MOON leftcert=moonCert.pem + leftsendcert=ifasked leftid=@moon.strongswan.org conn alice leftsubnet=PH_IP_ALICE/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add conn venus leftsubnet=PH_IP_VENUS/32 right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" auto=add - diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat new file mode 100644 index 000000000..24cd041ed --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/multi-level-ca-strict/pretest.dat b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat index 67c50c2ef..86dd31e83 100644 --- a/testing/tests/ikev1/multi-level-ca-strict/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/pretest.dat @@ -1,9 +1,6 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start carol::sleep 2 carol::ipsec up alice -carol::ipsec up venus dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf new file mode 100644 index 000000000..9bb88d79f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-cr-resp/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca-ldap/description.txt b/testing/tests/ikev1/multi-level-ca-ldap/description.txt deleted file mode 100644 index 18fb88840..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access -<b>alice</b> and <b>dave</b> can reach <b>venus</b>. -<p> -By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and -Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the -connection setups can be successfully completed. diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat deleted file mode 100644 index 9cfa502aa..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat +++ /dev/null @@ -1,13 +0,0 @@ -moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES -dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES -carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO -dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES -dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf deleted file mode 100755 index d9e5b119e..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 71358d6c6..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf deleted file mode 100755 index bf83264af..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_DAVE - leftcert=daveCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 71358d6c6..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 8de514a2e..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,76 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow ldap crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 50b896541..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,46 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" - auto=add - -ca research - cacert=researchCert.pem - crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList" - auto=add - -ca sales - cacert=salesCert.pem - crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList" - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" - auto=add - diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 71358d6c6..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl ldap kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat deleted file mode 100644 index ec4ba6e10..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* -winnetou::/etc/init.d/slapd stop -moon::/etc/init.d/iptables stop 2> /dev/null - diff --git a/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat deleted file mode 100644 index 322f42102..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -winnetou::/etc/init.d/slapd start -moon::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up alice -carol::ipsec up venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca-ldap/test.conf b/testing/tests/ikev1/multi-level-ca-ldap/test.conf deleted file mode 100644 index 08e5cc145..000000000 --- a/testing/tests/ikev1/multi-level-ca-ldap/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca-loop/description.txt b/testing/tests/ikev1/multi-level-ca-loop/description.txt deleted file mode 100644 index 9b63c2c66..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarrior <b>carol</b>, possessing a certificate issued by the -Research CA, tries to set up a tunnel to gateway <b>moon</b>. -The Research CA's certificate is signed by the Sales CA and -the Sales CA's certificate in turn is signed by the Research CA. -This leads to an endless trust path loop but which is aborted by -<b>moon</b> when the path level reaches a depth of 7 iterations. diff --git a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat deleted file mode 100644 index 524846109..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/evaltest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::cat /var/log/auth.log::maximum path length of 7 exceeded::YES -carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf deleted file mode 100755 index f91ca63a8..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem deleted file mode 100644 index 37ef9c665..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT -CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf -rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID -BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx -4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q -m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha -/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM -x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB -ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B -bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4 -hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk -WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy -02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF -yuVPkDSgPds6m0KQcEVnuaU= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem deleted file mode 100644 index 0a435b90d..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz -OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM -BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH -/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq -4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 -XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 -kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj -gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 -p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx -CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD -ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx -qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7 -MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD -Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16 -EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo -aeDWsllgAdqMA2fL7i9tsFHZVYk= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/posttest.dat b/testing/tests/ikev1/multi-level-ca-loop/posttest.dat deleted file mode 100644 index 076f51f4d..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev1/multi-level-ca-loop/pretest.dat b/testing/tests/ikev1/multi-level-ca-loop/pretest.dat deleted file mode 100644 index 0a0ec22bf..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up alice diff --git a/testing/tests/ikev1/multi-level-ca-loop/test.conf b/testing/tests/ikev1/multi-level-ca-loop/test.conf deleted file mode 100644 index 3189fdfc7..000000000 --- a/testing/tests/ikev1/multi-level-ca-loop/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/description.txt b/testing/tests/ikev1/multi-level-ca-pathlen/description.txt deleted file mode 100644 index 1852f7157..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA -but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn -issues an end entity certificate to roadwarrior <b>carol</b> so that the total -path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts -the negotiation. diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat deleted file mode 100644 index 235b7672e..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::cat /var/log/auth.log::path length of 2 violates constraint of 1::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::duck.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 4e13b52d0..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX -BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz -MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh -bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n -c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y -IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2 -30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb -jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG -veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii -ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5 -7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD -VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx -jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg -c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo -IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 -DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH -TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G -4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6 -Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O -3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok -BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index 48727ed9d..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF -Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF -w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/ -rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8 -UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX -aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+ -33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX -ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA -zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2 -DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag -QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp -5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP -44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX -Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV -2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar -PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX -LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/ -Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq -VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL -Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty -6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3 -Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw -Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq -Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS -QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw== ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf deleted file mode 100755 index ca5919d5c..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn duck - left=PH_IP_MOON - leftcert=moonCert.pem - leftsendcert=ifasked - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA" - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem deleted file mode 100644 index bb205a0fd..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw -M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP -BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu -MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa -ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO -UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD -h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY -i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB -o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2 -KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p -891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF -AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv -YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx -rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C -1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5 -wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v -DSlBqDpnqK8tEI9V9YeroihTcygrEg== ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat deleted file mode 100644 index f84b7e37b..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat deleted file mode 100644 index 9f0232a7b..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/test.conf b/testing/tests/ikev1/multi-level-ca-pathlen/test.conf deleted file mode 100644 index b118cb7dc..000000000 --- a/testing/tests/ikev1/multi-level-ca-pathlen/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/multi-level-ca-revoked/description.txt b/testing/tests/ikev1/multi-level-ca-revoked/description.txt deleted file mode 100644 index c91ac285b..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA. -The certificate of the Research CA has been revoked by the Root CA by entering -the serial number in the CRL. Therefore upon verification of the trust path -the gateway <b>moon</b> will reject the roadwarrior's certificate diff --git a/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat deleted file mode 100644 index 0fd1cae8c..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::cat /var/log/auth.log::X.509 certificate rejected::YES -moon::cat /var/log/auth.log::certificate was revoked::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::ipsec listcrls:: ok::YES -moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO -carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf deleted file mode 100755 index b4bc2101c..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 69e5c05e3..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP -BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p -891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj -YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js -LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index 53e18680b..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem deleted file mode 100644 index c380a5110..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD -FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU -zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO -/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 -C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 -+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E -BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd -VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv -bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1 -LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa -6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN -T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r -9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL -cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq -YO2C4HE= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat b/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat deleted file mode 100644 index f84b7e37b..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat b/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat deleted file mode 100644 index d92333d86..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/multi-level-ca-revoked/test.conf b/testing/tests/ikev1/multi-level-ca-revoked/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/multi-level-ca-revoked/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/multi-level-ca-strict/description.txt b/testing/tests/ikev1/multi-level-ca-strict/description.txt deleted file mode 100644 index 32413e3de..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of two different Intermediate CAs. Access to -<b>alice</b> is granted to users presenting a certificate issued by the Research CA -whereas <b>venus</b> can only be reached with a certificate issued by the -Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from -the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access -<b>alice</b> and <b>dave</b> can reach <b>venus</b>. -<p> -By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and -Sales CAs must be fetched first, before the connection setups can be successfully completed. diff --git a/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat deleted file mode 100644 index 5a181a62d..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES -dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO -dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES -dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf deleted file mode 100755 index cf93bb231..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add - - - - - diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 69e5c05e3..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIELDCCAxSgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDQwNzA5MjA1N1oXDTE1MDQwNjA5MjA1 -N1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP -BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC -ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOio9tKOkESjZumThDvt1aFy -dPDPNAhNrIon8aCvZMxFQBXsams1LOL47UKQEeOJcDUQ1s90P05vAwX+TwOA2nBD -hgVBe8c+RsBRfERmxcszK7dgj5yrjwbJFrUJPem04KEPnrR7LpT5s7+z1n+pZYr9 -HyJTvYJd3c968frowQW98mgEJG9xs2LfaqTV3RES1B9vIeQGWh64DSrF6Xy/HY+n -3MeSMGZ3UJoXS6YZIxvGNd7heB/2xxv3Vv0TNyGikmP8Z5ibgN5jn7mQkU9SM9Qz -Qb2ZY1m3Dn93cbJ5w3AXeClhJhoze6UvhVs4e/ASuJb6b9NLML4eB0BMCZD66Y8C -AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTE -AO+W2V1eu0sjCQcfemzz9lSRvTBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p -891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 -YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBIDAfBgNVHREEGDAWgRRj -YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js -LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQsFAAOCAQEA -ajgFI8Kz611i0Ihu8+M1C2W1kFbL4EoYyon3trjRZ3Iqz6ksf9KSKCS6Fiylq4DG -il0mtMtlP+HKcXzRgSY96M4CO73w26liwmZsFBNaZKI/5vKRPPLyU9raGshfpBeC -CywZ4vcb+EViIPstzOYiK5y/1tSGsMEdnlX2JZsJAKhbLRTmC02O3MbGGBQQq1eU -n1xkR8pndTWTJmFZ61fZlUMSwLgLF9/VchAa7cIdEA044OCtTdabiYoyLFmqDutq -8GYvWOzLf2qOKcRxkHxPfeJDrWOLePEYnaMkSBkUKAUIkI+LaJbWF3ASTGgHqh2/ -pwU12A3BovJKUaR0B7Uy2A== ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index 53e18680b..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA6Kj20o6QRKNm6ZOEO+3VoXJ08M80CE2siifxoK9kzEVAFexq -azUs4vjtQpAR44lwNRDWz3Q/Tm8DBf5PA4DacEOGBUF7xz5GwFF8RGbFyzMrt2CP -nKuPBskWtQk96bTgoQ+etHsulPmzv7PWf6lliv0fIlO9gl3dz3rx+ujBBb3yaAQk -b3GzYt9qpNXdERLUH28h5AZaHrgNKsXpfL8dj6fcx5IwZndQmhdLphkjG8Y13uF4 -H/bHG/dW/RM3IaKSY/xnmJuA3mOfuZCRT1Iz1DNBvZljWbcOf3dxsnnDcBd4KWEm -GjN7pS+FWzh78BK4lvpv00swvh4HQEwJkPrpjwIDAQABAoIBAQCGhpwg5znX1jt9 -N0SwejaaIVoom0ZUvsTTJYF7Da9UxX3mr0phLuADZTea0z7kt+VfaZsrXOX17g5r -er4pImorm390roZpkELMlNEro9keQzo1z+l6B2Ct5bvxdaSM638u4Z88cDVhAnjC -kbOnIUWLdgx4hr7/EFNe0pH0KHzjWfS4YMUXZFYER3W+lQ68j3U/iFdCsMdABrLV -BnKozAUOWTHeZc+8Ca0MFWChrj9b2DCs2M0ASgAx5s9CNo1dIbqwJmb7OLlwm3G+ -Xx0JzN7eOOZdiFSPcyNoRwE6rKvrs2GtQ9LqWdkvVEuFjyIkl97cnoOkRIj5bAvN -DfjfjmeBAoGBAP9rdEPjprVbEeAS+acLc/6oWlGqo23nO31IuUWHT10yxf0E5FIp -waLJchqT+jD5tYehfZ1+OVtYiWWKBJIXnVK+a4rc/GIRWX/BRHMtWeenv7wR72pt -1GRxp7yTZtj1AeJhuXcSHpntAo0kG6gHC/+FvbrNgyuSYn9siIa+C5RhAoGBAOkw -RgOX7hXYzOSATbKZcnNFdPECYaBDjXV/Rcg966Ng4UcxWl3vJRYf3A55ehmc2Jdm -CSqt6CrsR/RxKrljsCe7gD/GGEktV7fknnXC5Bfx3hUXQ4rATLx8xwlae+wc+ANM -eaY1HB0KOGGGH2kT4l4UFChgnfpZN+vpel/cFkPvAoGBAJPqZZVfQ87o44wxUPSl -FFKYql17BVQDQhdGw0x5lMNzQOdLKvJODj44jOTJZ21vXuoh4n4PeCXnOwJbkFQO -auRdNChh26LrSzpJ8VsGG3elVMsUU+L9oa9dhncVoczo7mNslpxXGPOpJv4XuBBx -rEgY6oxAscLM7k++yb3GVyxhAoGBAMK6lT0a+q8zxKZsnnWuvmyUa/t3SZ9TyiV8 -iwGU89oTZQzWoegfdJDtOg68UsJgwF5tzundICv39H6kolD+dnQ3l/mpq04wlzfx -qoIcpe15BUQHkVelDm+4o12kOigKaPIYQt4RK9D0X/DQ2BofiMGXct3lEQemyZQv -/Qlf+RfxAoGABBRf9DcyA/RdmTszqebfPPNmx7iHaNbrZ3Xbvyv3P5LkzXlFLTvA -hDz/UqnVM7Bwe1OGeJYkXfmijRjpJ+U8dteb2YzZ3tnlzKwifz+051/LcjavX9X2 -5PuEB2Y65V0OWImIFVlLnp3MRyE4bImveBliWrTRQUVsxQt2WIDgThw= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 5f04445d2..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_DAVE - leftcert=daveCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add - - - - - diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem deleted file mode 100644 index d53365f78..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem +++ /dev/null @@ -1,23 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDwTCCAqmgAwIBAgIBIDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDQwNjA5NTM1MFoXDTE5MDQwNDA5NTM1MFowUTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP -ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD -FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU -zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO -/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 -C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 -+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E -BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd -VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV -BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv -bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQELBQADggEBAI1toW0bLcyBXAoy -FeLKGy4SibcNBZs/roChcwUav0foyLdCYMYFKEeHOLvIsTIjifpY4MPy3SBgQ5Xp -cs5vOFwW97jM6YfByqjx4+7qTBqOaLMXBbeJ3LIwQyJirpqHZzlsOscchxCjcMAM -POBGmWjpdOqULoLlwX9EFhBA2rEZB1iamgbUJ5M5eRNEubm8xR6Baw/0ORz/tt+t -xC9jxcjHoJnOFV0ss7Xs3d32PqhvKGgBxjVLZyq3zD/rMG2xXVyKPU46zelMCP1U -dsM62tL1cwAi4soka02GQrP/rwBhHt22bJMN4gNs5NSvhTdjjgwVYzLu63IFYBvW -8sFmiZI= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-strict/posttest.dat b/testing/tests/ikev1/multi-level-ca-strict/posttest.dat deleted file mode 100644 index 1646d5ed2..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::rm /etc/ipsec.d/cacerts/* - diff --git a/testing/tests/ikev1/multi-level-ca-strict/test.conf b/testing/tests/ikev1/multi-level-ca-strict/test.conf deleted file mode 100644 index 08e5cc145..000000000 --- a/testing/tests/ikev1/multi-level-ca-strict/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/multi-level-ca/evaltest.dat b/testing/tests/ikev1/multi-level-ca/evaltest.dat index 72f620b8e..ede771fb6 100644 --- a/testing/tests/ikev1/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev1/multi-level-ca/evaltest.dat @@ -1,12 +1,18 @@ -carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES -moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES -dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES -moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES -carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO -dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES -dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES +carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::received INVALID_ID_INFORMATION error notify::YES +dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf index d11724c28..3df94ba2d 100755..100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -17,6 +13,7 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 @@ -25,8 +22,3 @@ conn alice conn venus rightsubnet=PH_IP_VENUS/32 auto=add - - - - - diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf index 2d80aad8a..28389112a 100755..100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -17,6 +13,7 @@ conn %default leftsendcert=ifasked right=PH_IP_MOON rightid=@moon.strongswan.org + rightca="C=CH, O=Linux strongSwan, CN=strongSwan Root CA" conn alice rightsubnet=PH_IP_ALICE/32 @@ -25,8 +22,3 @@ conn alice conn venus rightsubnet=PH_IP_VENUS/32 auto=add - - - - - diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf index 9b97015fd..2dfd40f99 100755..100644 --- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no ca strongswan cacert=strongswanCert.pem @@ -33,4 +29,3 @@ conn venus right=%any rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" auto=add - diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev1/multi-level-ca/pretest.dat b/testing/tests/ikev1/multi-level-ca/pretest.dat index 67c50c2ef..755564cbc 100644 --- a/testing/tests/ikev1/multi-level-ca/pretest.dat +++ b/testing/tests/ikev1/multi-level-ca/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev1/multi-level-ca/test.conf b/testing/tests/ikev1/multi-level-ca/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev1/multi-level-ca/test.conf +++ b/testing/tests/ikev1/multi-level-ca/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/nat-before-esp/description.txt b/testing/tests/ikev1/nat-before-esp/description.txt deleted file mode 100644 index e42ace476..000000000 --- a/testing/tests/ikev1/nat-before-esp/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -An IPsec tunnel connecting the gateway <b>moon</b> with the subnet behind -gateway <b>sun</b> is set up. This host-to-net connection can also be -used by the clients <b>alice</b> and <b>venus</b> via the trick of NAT-ing -them to the outer IP address of gateway <b>moon</b> prior to tunnelling. -The IPsec tunnel is first tested by <b>moon</b> pinging <b>bob</b> and vice versa, -followed by the NAT-ed clients <b>alice</b> and <b>venus</b> pinging <b>bob</b>. diff --git a/testing/tests/ikev1/nat-before-esp/evaltest.dat b/testing/tests/ikev1/nat-before-esp/evaltest.dat deleted file mode 100644 index d466038ed..000000000 --- a/testing/tests/ikev1/nat-before-esp/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::ipsec status::host-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::host-net.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -bob::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -bob::tcpdump::ICMP::YES diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables deleted file mode 100755 index f87ec0e58..000000000 --- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,83 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # NAT traffic from 10.1.0.0/16 - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j MASQUERADE - - # forward traffic from 10.1.0.0/16 to POSTROUTING chain - iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -d 10.2.0.0/16 -j ACCEPT - iptables -A FORWARD -o eth1 -i eth0 -d 10.1.0.0/16 -s 10.2.0.0/16 -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 1ee1b7749..000000000 --- a/testing/tests/ikev1/nat-before-esp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn host-net - left=192.168.0.1 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - right=192.168.0.2 - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add diff --git a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf deleted file mode 100755 index 57496e10e..000000000 --- a/testing/tests/ikev1/nat-before-esp/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn host-net - left=192.168.0.2 - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes - leftsubnet=10.2.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/nat-before-esp/posttest.dat b/testing/tests/ikev1/nat-before-esp/posttest.dat deleted file mode 100644 index 307b96888..000000000 --- a/testing/tests/ikev1/nat-before-esp/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::iptables -t nat -v -n -L -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/nat-before-esp/pretest.dat b/testing/tests/ikev1/nat-before-esp/pretest.dat deleted file mode 100644 index 75565540a..000000000 --- a/testing/tests/ikev1/nat-before-esp/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -sun::ipsec start -moon::sleep 2 -moon::ipsec up host-net diff --git a/testing/tests/ikev1/nat-before-esp/test.conf b/testing/tests/ikev1/nat-before-esp/test.conf deleted file mode 100644 index 4234eaf63..000000000 --- a/testing/tests/ikev1/nat-before-esp/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun bob" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/nat-one-rw/description.txt b/testing/tests/ikev1/nat-one-rw/description.txt deleted file mode 100644 index c3b9bb820..000000000 --- a/testing/tests/ikev1/nat-one-rw/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to -gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the -client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev1/nat-one-rw/evaltest.dat b/testing/tests/ikev1/nat-one-rw/evaltest.dat deleted file mode 100644 index bc193963d..000000000 --- a/testing/tests/ikev1/nat-one-rw/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-one-rw/posttest.dat b/testing/tests/ikev1/nat-one-rw/posttest.dat deleted file mode 100644 index cd0d4df25..000000000 --- a/testing/tests/ikev1/nat-one-rw/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -alice::ipsec stop -sun::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev1/nat-one-rw/pretest.dat b/testing/tests/ikev1/nat-one-rw/pretest.dat deleted file mode 100644 index 9dacc672c..000000000 --- a/testing/tests/ikev1/nat-one-rw/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -alice::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -alice::ipsec start -sun::ipsec start -alice::sleep 5 -alice::ipsec up nat-t - diff --git a/testing/tests/ikev1/nat-one-rw/test.conf b/testing/tests/ikev1/nat-one-rw/test.conf deleted file mode 100644 index d84149aaf..000000000 --- a/testing/tests/ikev1/nat-one-rw/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev1/nat-two-rw/description.txt b/testing/tests/ikev1/nat-rw/description.txt index dcf4b94bd..dcf4b94bd 100644 --- a/testing/tests/ikev1/nat-two-rw/description.txt +++ b/testing/tests/ikev1/nat-rw/description.txt diff --git a/testing/tests/ikev1/nat-rw/evaltest.dat b/testing/tests/ikev1/nat-rw/evaltest.dat new file mode 100644 index 000000000..387dbae23 --- /dev/null +++ b/testing/tests/ikev1/nat-rw/evaltest.dat @@ -0,0 +1,18 @@ +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf index eee3c45e8..df626c201 100755..100644 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - nat_traversal=yes - charonstart=no conn %default ikelifetime=60m @@ -11,11 +8,13 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=secret conn nat-t - left=%defaultroute + left=%any + leftcert=aliceCert.pem + leftid=alice@strongswan.org leftfirewall=yes right=PH_IP_SUN + rightid=@sun.strongswan.org rightsubnet=10.2.0.0/16 auto=add diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..dabff38e4 --- /dev/null +++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf index a7c500fe2..c321102ce 100755..100644 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - nat_traversal=yes - charonstart=no conn %default ikelifetime=60m @@ -11,12 +8,13 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=secret - + conn nat-t left=PH_IP_SUN - leftsubnet=10.2.0.0/16 + leftcert=sunCert.pem + leftid=@sun.strongswan.org leftfirewall=yes + leftsubnet=10.2.0.0/16 right=%any - rightsubnetwithin=10.1.0.0/16 + rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca23c6971 --- /dev/null +++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf index eee3c45e8..6c627e0a6 100755..100644 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - nat_traversal=yes - charonstart=no conn %default ikelifetime=60m @@ -11,11 +8,13 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=secret - + conn nat-t - left=%defaultroute + left=%any + leftcert=venusCert.pem + leftid=@venus.strongswan.org leftfirewall=yes right=PH_IP_SUN + rightid=@sun.strongswan.org rightsubnet=10.2.0.0/16 auto=add diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..dabff38e4 --- /dev/null +++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/ikev1/nat-rw/posttest.dat b/testing/tests/ikev1/nat-rw/posttest.dat new file mode 100644 index 000000000..4643a3a7b --- /dev/null +++ b/testing/tests/ikev1/nat-rw/posttest.dat @@ -0,0 +1,8 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev1/nat-two-rw/pretest.dat b/testing/tests/ikev1/nat-rw/pretest.dat index dd5259936..d701a1d61 100644 --- a/testing/tests/ikev1/nat-two-rw/pretest.dat +++ b/testing/tests/ikev1/nat-rw/pretest.dat @@ -1,13 +1,13 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::ipsec start venus::ipsec start sun::ipsec start -alice::sleep 5 +alice::sleep 2 alice::ipsec up nat-t -venus::sleep 5 +venus::sleep 2 venus::ipsec up nat-t +venus::sleep 2 diff --git a/testing/tests/ikev1/nat-rw/test.conf b/testing/tests/ikev1/nat-rw/test.conf new file mode 100644 index 000000000..f515d4bc7 --- /dev/null +++ b/testing/tests/ikev1/nat-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/nat-two-rw-mark/description.txt b/testing/tests/ikev1/nat-two-rw-mark/description.txt deleted file mode 100644 index 2a93d11d8..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/description.txt +++ /dev/null @@ -1,16 +0,0 @@ -The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up -tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. -Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT -after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively. -<p/> -In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, -<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using -the <b>mark</b> parameter in ipsec.conf. -<p/> -<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to -and from <b>alice</b> and <b>venus</b>, respectively. -<p/> -The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts -iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules -that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> -and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat deleted file mode 100644 index fa64c3d88..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES -sun::ipsec status::alice.*alice@strongswan.org::YES -sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES -sun::ipsec status::venus.*venus.strongswan.org::YES -sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES -sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES -bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf deleted file mode 100755 index 4ed556226..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn nat-t - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf deleted file mode 100755 index 2b346430e..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control parsing" #parsing to get knl 2 messages - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn alice - rightid=alice@strongswan.org - mark=10/0xffffffff - also=sun - auto=add - -conn venus - rightid=@venus.strongswan.org - mark=20 #0xffffffff is used by default - also=sun - auto=add - -conn sun - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/mark_updown - right=%any - rightsubnet=10.1.0.0/25 diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown deleted file mode 100755 index 0d22e684d..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/hosts/sun/etc/mark_updown +++ /dev/null @@ -1,527 +0,0 @@ -#! /bin/sh -# updown script setting inbound marks on ESP traffic in the mangle chain -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# things that this script gets (from ipsec_pluto(8) man page) -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the ESP policy -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# uncomment to log VPN connections -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi - -# is there an inbound mark to be set? -if [ -n "$PLUTO_MARK_IN" ] -then - if [ -n "$PLUTO_UDP_ENC" ] - then - SET_MARK="-p udp --sport $PLUTO_UDP_ENC" - else - SET_MARK="-p esp" - fi - SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" -fi - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -# the big choice -case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf deleted file mode 100755 index 0be3477c1..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn nat-t - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=venusCert.pem - leftid=@venus.strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat b/testing/tests/ikev1/nat-two-rw-mark/posttest.dat deleted file mode 100644 index 89d5f534b..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/posttest.dat +++ /dev/null @@ -1,11 +0,0 @@ -sun::iptables -t mangle -v -n -L PREROUTING -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F -sun::conntrack -F -sun::rm /etc/mark_updown diff --git a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat b/testing/tests/ikev1/nat-two-rw-mark/pretest.dat deleted file mode 100644 index 310e5be71..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/pretest.dat +++ /dev/null @@ -1,21 +0,0 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON -moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510 -moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520 -moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510 -moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20 -alice::ipsec start -venus::ipsec start -sun::ipsec start -alice::sleep 2 -alice::ipsec up nat-t -venus::sleep 2 -venus::ipsec up nat-t -venus::sleep 2 diff --git a/testing/tests/ikev1/nat-two-rw-mark/test.conf b/testing/tests/ikev1/nat-two-rw-mark/test.conf deleted file mode 100644 index ae3c190b8..000000000 --- a/testing/tests/ikev1/nat-two-rw-mark/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon bob" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/nat-two-rw-psk/description.txt b/testing/tests/ikev1/nat-two-rw-psk/description.txt deleted file mode 100644 index c74897d9a..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up -tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. -Both roadwarriors share the same Pre-Shared Key (PSK) with the gateway <b>sun</b>. -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b> -ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat deleted file mode 100644 index e8aaf0b5f..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES -sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES -sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index e8c151f05..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 453cdc07c..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index e8c151f05..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 453cdc07c..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets deleted file mode 100644 index e8c151f05..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 453cdc07c..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/nat-two-rw-psk/posttest.dat b/testing/tests/ikev1/nat-two-rw-psk/posttest.dat deleted file mode 100644 index 52572ece8..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat b/testing/tests/ikev1/nat-two-rw-psk/pretest.dat deleted file mode 100644 index 6172bd088..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/pretest.dat +++ /dev/null @@ -1,16 +0,0 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -alice::rm /etc/ipsec.d/cacerts/* -venus::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -alice::ipsec start -venus::ipsec start -sun::ipsec start -alice::sleep 5 -alice::ipsec up nat-t -venus::sleep 5 -venus::ipsec up nat-t diff --git a/testing/tests/ikev1/nat-two-rw-psk/test.conf b/testing/tests/ikev1/nat-two-rw-psk/test.conf deleted file mode 100644 index 84317fd70..000000000 --- a/testing/tests/ikev1/nat-two-rw-psk/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/nat-two-rw/evaltest.dat b/testing/tests/ikev1/nat-two-rw/evaltest.dat deleted file mode 100644 index 03c6d8ae6..000000000 --- a/testing/tests/ikev1/nat-two-rw/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES -sun::ipsec status::nat-t.*alice@strongswan.org::YES -sun::ipsec status::nat-t.*venus.strongswan.org::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev1/nat-two-rw/posttest.dat b/testing/tests/ikev1/nat-two-rw/posttest.dat deleted file mode 100644 index 52572ece8..000000000 --- a/testing/tests/ikev1/nat-two-rw/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev1/nat-two-rw/test.conf b/testing/tests/ikev1/nat-two-rw/test.conf deleted file mode 100644 index 84317fd70..000000000 --- a/testing/tests/ikev1/nat-two-rw/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/nat-virtual-ip/description.txt b/testing/tests/ikev1/nat-virtual-ip/description.txt new file mode 100644 index 000000000..31d24cda6 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/description.txt @@ -0,0 +1,6 @@ +The router <b>moon</b> sets up a connection to gateway <b>sun</b> in order +to reach the subnet hidden behind <b>sun</b>. The gateway <b>sun</b> assigns a +virtual IP address to router <b>moon</b>. A special updown script on <b>moon</b> +specified by <b>leftupdown=/etc/nat_updown</b> dynamically inserts a source NAT rule +which maps the IP address of client <b>alice</b> to the virtual IP of <b>moon</b>. +This allows <b>alice</b> to access client <b>bob</b> via the established IPsec tunnel. diff --git a/testing/tests/ikev1/nat-virtual-ip/evaltest.dat b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat new file mode 100644 index 000000000..c60ffc772 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/evaltest.dat @@ -0,0 +1,8 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES +bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts new file mode 100644 index 000000000..ee854da09 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/bob/etc/hosts @@ -0,0 +1,70 @@ +# /etc/hosts: This file describes a number of hostname-to-address +# mappings for the TCP/IP subsystem. It is mostly +# used at boot time, when no name servers are running. +# On small systems, this file can be used instead of a +# "named" name server. Just add the names, addresses +# and any aliases to this file... +# + +127.0.0.1 localhost + +192.168.0.254 uml0.strongswan.org uml0 +10.1.0.254 uml1.strongswan.org uml1 +10.2.0.254 uml1.strongswan.org uml2 + +10.1.0.10 alice.strongswan.org alice +10.1.0.20 venus.strongswan.org venus +10.1.0.1 moon1.strongswan.org moon1 +192.168.0.1 moon.strongswan.org moon +192.168.0.50 alice1.strongswan.org alice1 +192.168.0.100 carol.strongswan.org carol +10.3.0.1 carol1.strongswan.org carol1 +192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org +192.168.0.200 dave.strongswan.org dave +10.3.0.2 dave1.strongswan.org dave1 +192.168.0.2 sun.strongswan.org sun +10.2.0.1 sun1.strongswan.org sun1 +10.2.0.10 bob.strongswan.org bob +10.4.0.1 alice2.strongswan.org alice2 + +# IPv6 versions of localhost and co +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts + +# IPv6 solicited-node multicast addresses +ff02::1:ff00:1 ip6-mcast-1 +ff02::1:ff00:2 ip6-mcast-2 +ff02::1:ff00:10 ip6-mcast-10 +ff02::1:ff00:15 ip6-mcast-15 +ff02::1:ff00:20 ip6-mcast-20 + +# IPv6 site-local addresses +fec0::5 ip6-alice1.strongswan.org ip6-alice1 +fec1::10 ip6-alice.strongswan.org ip6-alice +fec1::20 ip6-venus.strongswan.org ip6-venus +fec1::1 ip6-moon1.strongswan.org ip6-moon1 +fec0::1 ip6-moon.strongswan.org ip6-moon +fec0::10 ip6-carol.strongswan.org ip6-carol +fec3::1 ip6-carol1.strongswan.org ip6-carol1 +fec0::15 ip6-winnetou.strongswan.org ip6-winnetou +fec0::20 ip6-dave.strongswan.org ip6-dave +fec3::2 ip6-dave1.strongswan.org ip6-dave1 +fec0::2 ip6-sun.strongswan.org ip6-sun +fec2::1 ip6-sun1.strongswan.org ip6-sun1 +fec2::10 ip6-bob.strongswan.org ip6-bob + +# IPv6 link-local HW derived addresses +fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus +fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice +fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1 +fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon +fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol +fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou +fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave +fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun +fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1 +fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf index 30af017ff..28853ce75 100755..100644 --- a/testing/tests/ikev1/net2net-same-nets/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m @@ -12,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + mobike=no conn net-net left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org - leftsubnet=10.0.0.0/14 - leftfirewall=yes + leftsourceip=%config + leftupdown=/etc/nat_updown right=PH_IP_SUN rightid=@sun.strongswan.org - rightsubnet=10.4.0.0/14 + rightsubnet=10.2.0.0/16 auto=add diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown new file mode 100755 index 000000000..aab1df687 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/nat_updown @@ -0,0 +1,152 @@ +#! /bin/sh +# NAT updown script +# +# Copyright (C) 2010 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin" +export PATH + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf index 5e924cf25..ff030b5b5 100755..100644 --- a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m @@ -12,16 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + mobike=no conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org - leftsubnet=10.4.0.0/14 - leftupdown=/etc/mark_updown + leftsubnet=10.2.0.0/16 + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org - rightsubnet=10.0.0.0/14 - mark_in=8 - mark_out=4 + rightsourceip=10.4.0.0/24 auto=add diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/nat-virtual-ip/posttest.dat b/testing/tests/ikev1/nat-virtual-ip/posttest.dat new file mode 100644 index 000000000..11bd19da7 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::conntrack -F +moon::rm /etc/nat_updown diff --git a/testing/tests/ikev1/nat-virtual-ip/pretest.dat b/testing/tests/ikev1/nat-virtual-ip/pretest.dat new file mode 100644 index 000000000..eb0c28c7f --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::conntrack -F +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net +moon::sleep 1 diff --git a/testing/tests/ikev1/nat-virtual-ip/test.conf b/testing/tests/ikev1/nat-virtual-ip/test.conf new file mode 100644 index 000000000..f46f137b4 --- /dev/null +++ b/testing/tests/ikev1/nat-virtual-ip/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun bob" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-cert/evaltest.dat b/testing/tests/ikev1/net2net-cert/evaltest.dat index 7cbf92687..2b37cad99 100644 --- a/testing/tests/ikev1/net2net-cert/evaltest.dat +++ b/testing/tests/ikev1/net2net-cert/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf index acb12e7f3..b1a8c98fc 100755..100644 --- a/testing/tests/ikev1/net2net-start/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -13,13 +9,13 @@ conn %default keyingtries=1 keyexchange=ikev1 -conn net-net +conn net-net left=PH_IP_MOON - leftsubnet=10.1.0.0/16 leftcert=moonCert.pem leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 leftfirewall=yes right=PH_IP_SUN - rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org - auto=start + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf index 7541aa894..5f0405b05 100755..100644 --- a/testing/tests/ikev1/passthrough/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/ipsec.conf @@ -1,26 +1,21 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=yes - charonstart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev1 -conn net-net +conn net-net left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 leftfirewall=yes - leftsubnet=0.0.0.0/0 right=PH_IP_MOON - rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-cert/posttest.dat b/testing/tests/ikev1/net2net-cert/posttest.dat index 5a9150bc8..837738fc6 100644 --- a/testing/tests/ikev1/net2net-cert/posttest.dat +++ b/testing/tests/ikev1/net2net-cert/posttest.dat @@ -1,4 +1,5 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush + diff --git a/testing/tests/ikev1/net2net-cert/pretest.dat b/testing/tests/ikev1/net2net-cert/pretest.dat index 9f60760c6..c724e5df8 100644 --- a/testing/tests/ikev1/net2net-cert/pretest.dat +++ b/testing/tests/ikev1/net2net-cert/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start -moon::sleep 2 +moon::sleep 1 moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-cert/test.conf b/testing/tests/ikev1/net2net-cert/test.conf index d9a61590f..646b8b3e6 100644 --- a/testing/tests/ikev1/net2net-cert/test.conf +++ b/testing/tests/ikev1/net2net-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-rsa/description.txt b/testing/tests/ikev1/net2net-fragmentation/description.txt index a23fae8c3..6fe773299 100644 --- a/testing/tests/ikev1/net2net-rsa/description.txt +++ b/testing/tests/ikev1/net2net-fragmentation/description.txt @@ -1,6 +1,9 @@ A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. -The authentication is based on <b>raw RSA keys</b>. Upon the successful -establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation +protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509 +certificates. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat new file mode 100644 index 000000000..876787495 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat @@ -0,0 +1,15 @@ +moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES +sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES +moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES +sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES +moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES +moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES +sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES +sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf index bc72fab0f..cdd430408 100755..100644 --- a/testing/tests/ikev1/net2net-route/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + fragmentation=yes -conn net-net +conn net-net left=PH_IP_MOON - leftsubnet=10.1.0.0/16 leftcert=moonCert.pem leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 leftfirewall=yes right=PH_IP_SUN - rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org - auto=route + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9caf4fa37 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1024 +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..448525bf7 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..9caf4fa37 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1024 +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1/net2net-fragmentation/posttest.dat new file mode 100644 index 000000000..837738fc6 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush + diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat new file mode 100644 index 000000000..c724e5df8 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1/net2net-fragmentation/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-pgp-v3/description.txt b/testing/tests/ikev1/net2net-pgp-v3/description.txt deleted file mode 100644 index bd680b57a..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. -The authentication is based on <b>OpenPGP V3 keys</b>. Upon the successful -establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> -pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat deleted file mode 100644 index 7cbf92687..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf deleted file mode 100755 index a38c66023..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control parsing" - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.asc - leftid=@#71270432cd763a18020ac988c0e75aed - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightcert=sunCert.asc - auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index 135cfaec0..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB -vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 -f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac -t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP -=oaBj ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 32f204b10..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR -A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj -0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn -lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== -=lLvB ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc deleted file mode 100644 index 6524773e0..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.d/private/moonKey.asc +++ /dev/null @@ -1,19 +0,0 @@ -Type Bits/KeyID Date User ID -sec 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> - ------BEGIN PGP SECRET KEY BLOCK----- -Version: 2.6.3i - -lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd -JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9 -FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6 -7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3 -0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN -8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7 -QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v -biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4= -=YFQm ------END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 71896491e..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf deleted file mode 100755 index 6a373e29f..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftcert=sunCert.asc - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightcert=moonCert.asc - rightid=@#71270432cd763a18020ac988c0e75aed - auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index 135cfaec0..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 -+bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 -RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR -tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB -vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 -f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac -t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP -=oaBj ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 32f204b10..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,15 +0,0 @@ -Type Bits/KeyID Date User ID -pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> - ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: 2.6.3i - -mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR -A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj -0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn -lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== -=lLvB ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc deleted file mode 100644 index de2393649..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.d/private/sunKey.asc +++ /dev/null @@ -1,19 +0,0 @@ -Type Bits/KeyID Date User ID -sec 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> - ------BEGIN PGP SECRET KEY BLOCK----- -Version: 2.6.3i - -lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ -rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 -I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR -AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI -Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1 -GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg -vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2 -LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn -2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs -xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu -IDxzdW4uc3Ryb25nc3dhbi5vcmc+ -=DwEu ------END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index ee98b1611..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA sunKey.asc diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 71896491e..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/net2net-pgp-v3/posttest.dat b/testing/tests/ikev1/net2net-pgp-v3/posttest.dat deleted file mode 100644 index fafcde975..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -sun::rm /etc/ipsec.d/certs/* -sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev1/net2net-pgp-v3/pretest.dat b/testing/tests/ikev1/net2net-pgp-v3/pretest.dat deleted file mode 100644 index 9e40684ab..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -sun::ipsec start -moon::sleep 2 -moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-pgp-v3/test.conf b/testing/tests/ikev1/net2net-pgp-v3/test.conf deleted file mode 100644 index f74d0f7d6..000000000 --- a/testing/tests/ikev1/net2net-pgp-v3/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-pgp-v4/description.txt b/testing/tests/ikev1/net2net-pgp-v4/description.txt deleted file mode 100644 index c82eec9ba..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. -The authentication is based on <b>OpenPGP V4 keys</b>. Upon the successful -establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> -pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat deleted file mode 100644 index 7cbf92687..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 094ab3bed..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control parsing" - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.asc - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightcert=sunCert.asc - rightid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3 - auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index a512f8f52..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf -UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A -nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd -6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ -I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f -JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh -bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA -CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K -N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K -1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y -D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk -/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv -1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK -CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc -ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt -21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX -mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb -G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D -spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz -=j2hu ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 5117cbb04..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB -QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM -/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV -CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP -B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN -4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu -Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK -CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g -0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0 -eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D -RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG -6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j -vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ -EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg -Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t -mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m -t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT -gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf -lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o= -=tAh4 ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc deleted file mode 100644 index 59de821d6..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.d/private/moonKey.asc +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN PGP PRIVATE KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -lQOYBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf -UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A -nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd -6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ -I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f -JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAEAB/42Vsa7NTpAgwe92+gx -nscTQsjTs9xf5VSQV6gRKWmUAQYNZoNDue2Ot5AeBJFWV8x++fWAZfrrkLJUkwu/ -Z8UcPbSuJhEsrG4F5B3owTy8cBPbNYd9c6JZAKFPBY8W5l9M5OQyUF1amiuk/1jX -BNPEN6SBK3j0IhZvQ2bIgCJrxUH9igvOig2HmfOYv11UMzOErSA/eGRSA+TrM+QK -BDCG1ae3dLe/pXtIuh1/jkLo7Byk0ofgv2+Ty/LSwBCj0vtUjtMHHRNZFRYFrNiN -S6FyrS7+Q9BJolNkuXT83i4dm208+6bKQBPxV3ZaLgf2y19/g5av8f745ercygQI -MdGBBADaWGKpev55Oom2gNV4jaQFaAc4K4OqW1IbsXk8QSl1iaoHmt9VlGP+A+8O -GG+h0cfIlUHnAC29Hs5lDnlByqdTnG9zTyOrnzZEY1+jFGGgs+O/ehS3riGI5dB8 -mwReZfY/aqp7naLkkymHuIAizmxkYORPZtTugyi99Zha4m8j4QQA+39fTOthVIYi -RXMzGknEjh9fMLvCkx33ghapCtc4ftJRACfaatQJVBG2li7LHbPg9fboIyG/x/Ey -iyGtPxwBLo7MJige6xpzVB4Qk+zLDCKouca29uY1rGQzZ0FTmMMtu3Rm+dKh9lLv -vg7ZJNTfhxldC+R/L/gOIBWEzy/iXaMD/2A+wQuKDLDRb9/sOiq/6z7Ryl6FPbTC -AvvNU3hJtRImfmHodob//zzYYgOY7exY/qubC6FsDW4AN+2iHesCdIzCrAG7v9X3 -Rn1WPq96FfY2y5b6qEl8Tx+a71TZi5RJRtoWPe3IolausE0T3IjRbWI4XgMu/T5o -Rmv/f5gyc5OxPpG0E21vb24uc3Ryb25nc3dhbi5vcmeJATcEEwECACEFAkpg0UQC -GwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AACgkQ9djQiWs7dNHHNQf/UiwJPioL -ef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8KN2yl6/L8djIdox0jw3yCYhCWxf94 -N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K1niLPYmJf5sMWXPAmetT6tNEHNhk -mE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1YD4HulHK0nfMxf1gVmFhRFtGpzrGS -26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk/EoRdO7hDOAEk80Gp23bDX6ygnvs -AqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv1I5GZ96wAo+s+KZAXaHlxFvq7r6O -MzxgEWTtyNTtGw== -=Vb4y ------END PGP PRIVATE KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index afb1ff927..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.asc diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 71896491e..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf deleted file mode 100755 index 428b10ce6..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftcert=sunCert.asc - leftid=@#b42f31fec80ae3264a101c85977a04ac8d1638d3 - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightcert=moonCert.asc - auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc deleted file mode 100644 index a512f8f52..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/moonCert.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -mQENBEpg0UQBCADWgUvdhUfaNdmWZkvECCcDRE+qlbJnVtIbBNkfsfTL1B20g2Mf -UhWJORD0ka01pc6Tc5BF/379npNu48lj0g6OdgG5ivvhAAK/6tdGNW/xZQEhTB+A -nmOu/9HbxtsXjZ5peX6F2k8OlG9hSJgTdGamhmkNaja0FrzSOz5jGhrEc2oCQVnd -6BXRz4eq7W+VwlC6cxlgi7f5pUFfSqKYVwPLf+VkPVUHo+vSzuidJSL/jaEr9my/ -I0c/fUsVVWa3Z/KyGNY4Ej1DB21PnWYBo9H5SK7YC7auiHGwekdybWoI/6IPOP3f -JqKbhO3ZbTw9bEZv+Lt52GeN4tNaWsOIbpVDABEBAAG0E21vb24uc3Ryb25nc3dh -bi5vcmeJATcEEwECACEFAkpg0UQCGwMHCwkIBwMCAQQVAggDBBYCAwECHgECF4AA -CgkQ9djQiWs7dNHHNQf/UiwJPioLef7dgGG2E+kwVQUK3LK+wXLrCVlRdTpSbw8K -N2yl6/L8djIdox0jw3yCYhCWxf94N4Yqw4zUjaA4wt+U37ZPqlx/kdfNZwn2383K -1niLPYmJf5sMWXPAmetT6tNEHNhkmE7CsmDqikX1GUvJ4NmoHp/2DQLKR4/Olb1Y -D4HulHK0nfMxf1gVmFhRFtGpzrGS26G3HzV0ZDs4fYEkVFfTBkCyGzE667O8W9Gk -/EoRdO7hDOAEk80Gp23bDX6ygnvsAqUeWNwYYctkiJKb/YMiAR/bOtFHtgN43atv -1I5GZ96wAo+s+KZAXaHlxFvq7r6OMzxgEWTtyNTtG4kBHAQQAQIABgUCSmDShgAK -CRCXegSsjRY401hVB/9HlBSdkal26U8HmVSjblOpMhaEKWjAZG1VnhcA5/GstzHc -ql7CuciAzOfRY9kcUvvonjLLBEb6P8H7mNaosE0XtqBI+Il8w6FIsfqXG+w2lISt -21/OoS3uXmUD43xdGkJACgoQP3eAqscRnoiNq/Wrg4GFvMmhK3pu3UR0joFrxwoX -mIbpJ1CZFrYDhLRFWUMV+93rzde7UfIeSuPwuE96yTJFgc4QKKFKT+msELTko9Fb -G5N0Q//Rfy+mbqQlk7JVd2WqUMfSx6Fw9X8z88uQamdcgx2/6HzFSL1QiBNyF/3D -spAwu2H5T4gSZH3FywlmRp+JJzNy+aci+M/eTvDz -=j2hu ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc deleted file mode 100644 index 5117cbb04..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/certs/sunCert.asc +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -mQENBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB -QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM -/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV -CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP -B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN -4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAG0EnN1bi5zdHJvbmdzd2Fu -Lm9yZ4kBNwQTAQIAIQUCSmDRuAIbAwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAK -CRCXegSsjRY407LCCACqHrnT1xqsQRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g -0P+Scnu84xj1o5bRWX2WyPYZUgDY6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0 -eNYmehGoIes4JfQm08UM7roywGaaWAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/D -RLu5rvCB6m5u62RncmppraAYuQWRjZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG -6XXcCnBr/34g/bQXWRxBhbf91ewVaDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97j -vnvvZKUwbd/TRFJkorkhkRpA1wSrJ0tAsvODgc8biQEcBBABAgAGBQJKYNK9AAoJ -EPXY0IlrO3TR8X4H/2eabptQ49q6SX5bwZ+13QoGZdarAvFxVGbbhaRrOrbsYNbg -Wd8k6R/Uwz1qkH3RJBmANm2wcDYhXsztprUrQ3a5jIgZfc+ZH/0cZiFUWk004m7t -mXdvWsGkbxye0kUChQOP9/VJBgpOBnK4MngX7d3nwSIO75r4ugey2Aud/eOvrm5m -t5MJBANTGAnBGwqXtsDm7v0L9VQY6PuLIgPwftB+vwy/Ea8vU5AmFKVkfAR/pVIT -gELY5mDHaqLxgvfMVJ+PFkvb5HF7QdpIcxUjo3SNgyOyYpN+pfQQbVLkPoOs1xqf -lIbIyjzMp02KM3iRElcuU/EBEfsp0/voJ/iyd+o= -=tAh4 ------END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc deleted file mode 100644 index 68899ae37..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.d/private/sunKey.asc +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN PGP PRIVATE KEY BLOCK----- -Version: GnuPG v1.4.9 (GNU/Linux) - -lQOYBEpg0bgBCADIozng/tZLr8mEcHvXe4S4zRE31EngymiBFytJ0r2sky43lJXB -QdW2h/elDDO2drrKVt9iwR/WS25r7Er1ibDn1cje9dERDU/IWyS7UaCewUG7WTZM -/aWrt1cnq11FhpdckQfdalh+au0rnsJJP+mwZBti6KtX9LFi0kKvVoDt+jlNJMlV -CLRgQ30BmgApiqEDxbVURmHf8UPDNy6GDcQYnJ1AmliIavzjpDl/l68TadBCf8WP -B2hBe/AoB9ODgc9GnBRMN6RGSvpXGBugKhleFUtCtUR0h3NZtpcD8479XuqSjbyN -4mUEAeXJIIkT/hLHmmbQK0DTrHPaTtXGfeOjABEBAAEAB/0XU57hkU9R6mSoALnt -Qh+aqsDjOEvEllPTGmH+icFipJP9g0lr+B8EQ0egCUyj3Kb36mS7Yw+0Bv4WDxlh -9bm7Iohhn7vIWz9Y4HvjSWi+vGJLiWI+TkkqLz0zUAGemTjU2snKzNfwDrd3WFRn -VsZxKxpiBAITzk+nWSHGp+yCfl3NVaA/MYAI+FgiQlq/qTCRreEsexAJ09weDLGN -P95V4E6LACRy+wiy7X0lRzS1047UUtTcZUF6c5ERfgAGT5NKT/ZA4THZy5pPrSOw -bRIHbozSlWbnrZNz8DNa4iyHsEw/42IvjU/LflmGWL2hvVxA40ezlxGVi5ea5gFV -5q9dBADWGXToEaHMqie/HAC4+1/VCTmAvqIKcegNWHCL1PGYBBfRonF/TDcbkawy -0ATlk+rkyTaRvkapb1LdqE1qThGQWC6iLb3v8E2UEizCM1VFo2EqcKxbCoJdsEtR -mrK/zIqZ/h/4iEu/ekLPeDwdIWWdBlfYTtTwdMH40eoPOLyo/QQA7+dSOQcAUp8H -1NuNpyK+9M3/mkpXRF3cqdiY7AnHIf4WWDtgDUHugtO8HlAkq4cL27QYBojVHCqB -P+NLJo6A35nNbt2IPqAotCgk8NlgtsA+oJ9tvWGarOLMnIt0eBv80blqa5PGeoFt -EuYxYO2bRAE2cQtMXPMLKpl3VKSRMR8EAKINBJ81zq2twDG1qvRg40XAz2LOKkFd -B+fNAd0JSC8+qx4MMdn0iL6WaCIN6t1wzI7l1whLUc7f3MPF2dwrsrB9j3MgHppr -GBLl0A3a1tIkWPAejMcpSgFR63ooQQgoX+XH0woST3wgHTZT6fF+zFn3eaGJ3wqv -JNcE4vcbJf1COoi0EnN1bi5zdHJvbmdzd2FuLm9yZ4kBNwQTAQIAIQUCSmDRuAIb -AwcLCQgHAwIBBBUCCAMEFgIDAQIeAQIXgAAKCRCXegSsjRY407LCCACqHrnT1xqs -QRAIL9GQtI6AkaLJLtJXbALtSKg1Ik1DQA9g0P+Scnu84xj1o5bRWX2WyPYZUgDY -6fB3bSQuX/Z0lIUtl16xRL53jKroGDzg3JZ0eNYmehGoIes4JfQm08UM7roywGaa -WAfTK2gDFdjsetU4FkpbziVp8cOeAzUMU5/DRLu5rvCB6m5u62RncmppraAYuQWR -jZALIxugFW9IBe+hItY3eBa0rnrCPUb2ywSG6XXcCnBr/34g/bQXWRxBhbf91ewV -aDxgLeoFzQl34h8MxxxBAzG/1023wkN+K97jvnvvZKUwbd/TRFJkorkhkRpA1wSr -J0tAsvODgc8b -=QOF4 ------END PGP PRIVATE KEY BLOCK----- diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index ee98b1611..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA sunKey.asc diff --git a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 71896491e..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat b/testing/tests/ikev1/net2net-pgp-v4/posttest.dat deleted file mode 100644 index fafcde975..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -sun::rm /etc/ipsec.d/certs/* -sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat b/testing/tests/ikev1/net2net-pgp-v4/pretest.dat deleted file mode 100644 index 9e40684ab..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -sun::ipsec start -moon::sleep 2 -moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-pgp-v4/test.conf b/testing/tests/ikev1/net2net-pgp-v4/test.conf deleted file mode 100644 index f74d0f7d6..000000000 --- a/testing/tests/ikev1/net2net-pgp-v4/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-psk-fail/description.txt b/testing/tests/ikev1/net2net-psk-fail/description.txt index 5a794bd17..688182be4 100644 --- a/testing/tests/ikev1/net2net-psk-fail/description.txt +++ b/testing/tests/ikev1/net2net-psk-fail/description.txt @@ -1,7 +1,5 @@ -An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and -<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b> -(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not -match, so that the responder cannot decrypt ISAKMP message MI3. The resulting -encrypted notification message cannot in turn be read by the initiator -<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of -PAYLOAD_MALFORMED messages is suppressed. +A connection between the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b> +uses a wrong PSK. This makes it impossible for gateway <b>sun</b> to decrypt the +IKEv1 message correctly. Thus <b>sun</b> returns a <b>PAYLOAD-MALFORMED</b> error +notify which in turn cannot be decrypted by <b>moon</b>. diff --git a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat index 7f7cb9726..36ad061ac 100644 --- a/testing/tests/ikev1/net2net-psk-fail/evaltest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/evaltest.dat @@ -1,6 +1,8 @@ -moon::cat /var/log/auth.log::malformed payload in packet::YES -sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES -sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES -moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO -sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO - +sun:: cat /var/log/daemon.log::invalid ID_V1 payload length, decryption failed::YES +sun:: cat /var/log/daemon.log::generating INFORMATIONAL_V1 request.*HASH N(PLD_MAL)::YES +moon::cat /var/log/daemon.log::invalid HASH_V1 payload length, decryption failed::YES +moon::cat /var/log/daemon.log::ignore malformed INFORMATIONAL request::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf index ad0359f01..5917bab81 100755..100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -1,21 +1,20 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - keyexchange=ikev1 authby=secret - + keyexchange=ikev1 + conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org + leftfirewall=yes right=PH_IP_SUN rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets index be95c4d99..38ebf966c 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/ipsec.secrets @@ -1,7 +1,4 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf index 453cdc07c..5db4358d6 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -1,11 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown + multiple_authentication = no } diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf index 9bbff9039..8fe02b10b 100755..100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -1,21 +1,20 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 - keyexchange=ikev1 authby=secret - + keyexchange=ikev1 + conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftid=@sun.strongswan.org + leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets index b53577e1d..be95c4d99 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/ipsec.secrets @@ -1,6 +1,6 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf index 453cdc07c..5db4358d6 100644 --- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -1,11 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown + multiple_authentication = no } diff --git a/testing/tests/ikev1/net2net-psk-fail/posttest.dat b/testing/tests/ikev1/net2net-psk-fail/posttest.dat index dff181797..1f7aa73a1 100644 --- a/testing/tests/ikev1/net2net-psk-fail/posttest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/posttest.dat @@ -1,2 +1,4 @@ moon::ipsec stop sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/net2net-psk-fail/pretest.dat b/testing/tests/ikev1/net2net-psk-fail/pretest.dat index aa8e332e0..0f4ae0f4f 100644 --- a/testing/tests/ikev1/net2net-psk-fail/pretest.dat +++ b/testing/tests/ikev1/net2net-psk-fail/pretest.dat @@ -1,5 +1,7 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start sun::ipsec start moon::sleep 2 diff --git a/testing/tests/ikev1/net2net-psk-fail/test.conf b/testing/tests/ikev1/net2net-psk-fail/test.conf index f6e064e7d..eb4822b5d 100644 --- a/testing/tests/ikev1/net2net-psk-fail/test.conf +++ b/testing/tests/ikev1/net2net-psk-fail/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon winnetou sun" +VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-psk/evaltest.dat b/testing/tests/ikev1/net2net-psk/evaltest.dat index 7cbf92687..2b37cad99 100644 --- a/testing/tests/ikev1/net2net-psk/evaltest.dat +++ b/testing/tests/ikev1/net2net-psk/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf index c63ec2f30..e4243e294 100755..100644 --- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf index 453cdc07c..238ec24b7 100644 --- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf index e21ee9910..38dab14b4 100755..100644 --- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf index 453cdc07c..238ec24b7 100644 --- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/net2net-psk/posttest.dat b/testing/tests/ikev1/net2net-psk/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev1/net2net-psk/posttest.dat +++ b/testing/tests/ikev1/net2net-psk/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/net2net-psk/pretest.dat b/testing/tests/ikev1/net2net-psk/pretest.dat index 9e40684ab..0f4ae0f4f 100644 --- a/testing/tests/ikev1/net2net-psk/pretest.dat +++ b/testing/tests/ikev1/net2net-psk/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start diff --git a/testing/tests/ikev1/net2net-psk/test.conf b/testing/tests/ikev1/net2net-psk/test.conf index f74d0f7d6..afa2accbe 100644 --- a/testing/tests/ikev1/net2net-psk/test.conf +++ b/testing/tests/ikev1/net2net-psk/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-route/description.txt b/testing/tests/ikev1/net2net-route/description.txt deleted file mode 100644 index 323f09555..000000000 --- a/testing/tests/ikev1/net2net-route/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -A tunnel that will connect the subnets behind the gateways <b>moon</b> -and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute -on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf. -A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to -<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and -leads to the automatic establishment of the subnet-to-subnet tunnel. -<p> -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules -that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/net2net-route/evaltest.dat b/testing/tests/ikev1/net2net-route/evaltest.dat deleted file mode 100644 index 38d589e5a..000000000 --- a/testing/tests/ikev1/net2net-route/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-route/posttest.dat b/testing/tests/ikev1/net2net-route/posttest.dat deleted file mode 100644 index 5a9150bc8..000000000 --- a/testing/tests/ikev1/net2net-route/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-route/pretest.dat b/testing/tests/ikev1/net2net-route/pretest.dat deleted file mode 100644 index 2eef7de19..000000000 --- a/testing/tests/ikev1/net2net-route/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -sun::ipsec start -moon::sleep 2 -alice::ping -c 10 PH_IP_BOB diff --git a/testing/tests/ikev1/net2net-route/test.conf b/testing/tests/ikev1/net2net-route/test.conf deleted file mode 100644 index d9a61590f..000000000 --- a/testing/tests/ikev1/net2net-route/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-rsa/evaltest.dat b/testing/tests/ikev1/net2net-rsa/evaltest.dat deleted file mode 100644 index 7cbf92687..000000000 --- a/testing/tests/ikev1/net2net-rsa/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 837c1ab56..000000000 --- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj - leftfirewall=yes - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT - auto=add diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 9859ae8ed..000000000 --- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA { - # RSA 2048 bits moon.strongswan.org Wed Dec 8 21:41:27 2004 - # for signatures only, UNSAFE FOR ENCRYPTION - #pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj - Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63 - PublicExponent: 0x03 - # everything after this point is secret - PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7 - Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f - Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d - Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff - Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213 - Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339 - } -# do not change the indenting of that "}" diff --git a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index c50c4c594..000000000 --- a/testing/tests/ikev1/net2net-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf deleted file mode 100755 index efd9c798a..000000000 --- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - left=PH_IP_SUN - leftsubnet=10.2.0.0/16 - leftid=@sun.strongswan.org - leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj - auto=add diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets deleted file mode 100644 index bf976a8d3..000000000 --- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/ipsec.secrets +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA { - # RSA 2048 bits sun.strongswan.org Wed Dec 8 21:44:27 2004 - # for signatures only, UNSAFE FOR ENCRYPTION - #pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT - Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253 - PublicExponent: 0x03 - # everything after this point is secret - PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db - Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb - Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839 - Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47 - Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b - Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a - } -# do not change the indenting of that "}" diff --git a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf deleted file mode 100644 index c50c4c594..000000000 --- a/testing/tests/ikev1/net2net-rsa/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac dnskey pkcs1 x509 gmp random curl kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/net2net-rsa/posttest.dat b/testing/tests/ikev1/net2net-rsa/posttest.dat deleted file mode 100644 index 5a9150bc8..000000000 --- a/testing/tests/ikev1/net2net-rsa/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-rsa/pretest.dat b/testing/tests/ikev1/net2net-rsa/pretest.dat deleted file mode 100644 index 9e40684ab..000000000 --- a/testing/tests/ikev1/net2net-rsa/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::rm /etc/ipsec.d/cacerts/* -sun::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -sun::ipsec start -moon::sleep 2 -moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-rsa/test.conf b/testing/tests/ikev1/net2net-rsa/test.conf deleted file mode 100644 index f74d0f7d6..000000000 --- a/testing/tests/ikev1/net2net-rsa/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-same-nets/description.txt b/testing/tests/ikev1/net2net-same-nets/description.txt deleted file mode 100644 index d0eb3374f..000000000 --- a/testing/tests/ikev1/net2net-same-nets/description.txt +++ /dev/null @@ -1,15 +0,0 @@ -A connection between two identical <b>10.0.0.0/14</b> networks behind the gateways <b>moon</b> -and <b>sun</b> is set up. In order to make network routing work, the subnet behind <b>moon</b> -sees the subnet behind <b>sun</b> as <b>10.4.0.0/14</b> whereas the subnet behind <b>sun</b> -sees the subnet behind <b>moon</b> as <b>10.8.0.0/14</b>. The necessary network mappings are -done on gateway <b>sun</b> using the iptables <b>MARK</b> and <b>NETMAP</b> targets. -<p/> -Upon the successful establishment of the IPsec tunnel, on gateway <b>moon</b> the directive -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass -the tunneled traffic whereas on gateway <b>sun</b> the script indicated by -<b>leftupdown=/etc/mark_updown</b> inserts iptables rules that set marks defined in the -connection definition of <b>ipsec.conf</b> both on the inbound and outbound traffic, create -the necessary NETMAP operations and forward the tunneled traffic. -<p/> -In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> -pings client <b>bob</b> located behind gateway <b>sun</b> and vice versa. diff --git a/testing/tests/ikev1/net2net-same-nets/evaltest.dat b/testing/tests/ikev1/net2net-same-nets/evaltest.dat deleted file mode 100644 index b5ad0628e..000000000 --- a/testing/tests/ikev1/net2net-same-nets/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::ipsec statusall::net-net.*IPsec SA established::YES -sun::ipsec statusall::net-net.*IPsec SA established::YES -alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES -bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES -bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES -bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown deleted file mode 100755 index 0bfdcad85..000000000 --- a/testing/tests/ikev1/net2net-same-nets/hosts/sun/etc/mark_updown +++ /dev/null @@ -1,376 +0,0 @@ -#! /bin/sh -# updown script setting inbound marks on ESP traffic in the mangle chain -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# things that this script gets (from ipsec_pluto(8) man page) -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the ESP policy -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} -# define NETMAP -SAME_NET=$PLUTO_PEER_CLIENT -IN_NET=$PLUTO_MY_CLIENT -OUT_NET="10.8.0.0/14" - -# define internal interface -INT_INTERFACE="eth1" - -# is there an inbound mark to be set? -if [ -n "$PLUTO_MARK_IN" ] -then - if [ -n "$PLUTO_UDP_ENC" ] - then - SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC" - else - SET_MARK_IN="-p esp" - fi - SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" -fi - -# is there an outbound mark to be set? -if [ -n "$PLUTO_MARK_OUT" ] -then - SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT" -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -# the big choice -case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK_IN - iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ - -d $IN_NET -j NETMAP --to $SAME_NET - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT - iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \ - -s $SAME_NET -j NETMAP --to $OUT_NET - fi - if [ -n "$PLUTO_MARK_OUT" ] - then - iptables -t mangle -A PREROUTING $SET_MARK_OUT - iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ - -d $OUT_NET -j NETMAP --to $SAME_NET - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT - iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ - -s $SAME_NET -j NETMAP --to $IN_NET - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK_IN - iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ - -d $IN_NET -j NETMAP --to $SAME_NET - iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT - iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \ - -s $SAME_NET -j NETMAP --to $OUT_NET - fi - if [ -n "$PLUTO_MARK_OUT" ] - then - iptables -t mangle -D PREROUTING $SET_MARK_OUT - iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/ikev1/net2net-same-nets/posttest.dat b/testing/tests/ikev1/net2net-same-nets/posttest.dat deleted file mode 100644 index e75e66650..000000000 --- a/testing/tests/ikev1/net2net-same-nets/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -sun::iptables -t mangle -n -v -L PREROUTING -sun::iptables -t nat -n -v -L -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -sun::conntrack -F diff --git a/testing/tests/ikev1/net2net-same-nets/pretest.dat b/testing/tests/ikev1/net2net-same-nets/pretest.dat deleted file mode 100644 index 2d7a78acb..000000000 --- a/testing/tests/ikev1/net2net-same-nets/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -sun::ipsec start -moon::sleep 1 -moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-same-nets/test.conf b/testing/tests/ikev1/net2net-same-nets/test.conf deleted file mode 100644 index 1971a33ab..000000000 --- a/testing/tests/ikev1/net2net-same-nets/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun bob" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-start/description.txt b/testing/tests/ikev1/net2net-start/description.txt deleted file mode 100644 index f5320685e..000000000 --- a/testing/tests/ikev1/net2net-start/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>, -respectively, is automatically established by means of the setting -<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b> -behind gateway <b>moon</b> pinging the client <b>bob</b> located behind -gateway <b>sun</b>. -<p> -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules -that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/net2net-start/evaltest.dat b/testing/tests/ikev1/net2net-start/evaltest.dat deleted file mode 100644 index 7cbf92687..000000000 --- a/testing/tests/ikev1/net2net-start/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-start/posttest.dat b/testing/tests/ikev1/net2net-start/posttest.dat deleted file mode 100644 index 5a9150bc8..000000000 --- a/testing/tests/ikev1/net2net-start/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat deleted file mode 100644 index f0c5bcec6..000000000 --- a/testing/tests/ikev1/net2net-start/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -sun::ipsec start -alice::sleep 20 diff --git a/testing/tests/ikev1/net2net-start/test.conf b/testing/tests/ikev1/net2net-start/test.conf deleted file mode 100644 index d9a61590f..000000000 --- a/testing/tests/ikev1/net2net-start/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/no-priv-key/description.txt b/testing/tests/ikev1/no-priv-key/description.txt deleted file mode 100644 index 21b8eccb1..000000000 --- a/testing/tests/ikev1/no-priv-key/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -This scenario tests whether the correct encrypted informational messages are -generated by the initiator <b>carol</b> and subsequently decoded by the -responder <b>moon</b> when roadwarrior <b>carol</b> finds out that she -doesn't have a private RSA key to sign her hash with. diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat deleted file mode 100644 index e5a8de0b9..000000000 --- a/testing/tests/ikev1/no-priv-key/evaltest.dat +++ /dev/null @@ -1,3 +0,0 @@ -carol::cat /var/log/auth.log::unable to locate my private key::YES -moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO -carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 23b311aa6..000000000 --- a/testing/tests/ikev1/no-priv-key/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# missing private RSA key diff --git a/testing/tests/ikev1/no-priv-key/posttest.dat b/testing/tests/ikev1/no-priv-key/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/no-priv-key/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/no-priv-key/pretest.dat b/testing/tests/ikev1/no-priv-key/pretest.dat deleted file mode 100644 index d92333d86..000000000 --- a/testing/tests/ikev1/no-priv-key/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/no-priv-key/test.conf b/testing/tests/ikev1/no-priv-key/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/no-priv-key/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/ocsp-revoked/description.txt b/testing/tests/ikev1/ocsp-revoked/description.txt deleted file mode 100644 index cbdd1305a..000000000 --- a/testing/tests/ikev1/ocsp-revoked/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates -the connection and no current revocation information is available, the Main Mode -negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>. -When the second Main Mode trial comes around the OCSP response will be available -but because the certificate presented by carol has been revoked, -the IKE negotatiation will fail.. diff --git a/testing/tests/ikev1/ocsp-revoked/evaltest.dat b/testing/tests/ikev1/ocsp-revoked/evaltest.dat deleted file mode 100644 index f5286cb61..000000000 --- a/testing/tests/ikev1/ocsp-revoked/evaltest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::cat /var/log/auth.log::X.509 certificate rejected::YES -moon::cat /var/log/auth.log::certificate was revoked::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::ipsec listocsp:: revoked::YES -moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO -carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf deleted file mode 100755 index a62964829..000000000 --- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolRevokedCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem deleted file mode 100644 index a92610c4f..000000000 --- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBGzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA5MDgyNzEwMzEwNloXDTE0MDgyNjEwMzEwNlowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAOHh/BBf9VwUbx3IU2ZvKJylwCUP2Gr40Velcexr -lR1PoK3nwZrJxxfhhxrxdx7Wnt/PDiF2eyzA9U4cOyS1zPpWuRt69PEOWfzQJZkD -e5C6bXZMHwJGaCM0h8EugnwI7/XgbEq8U/1PBwIeFh8xSyIwyn8NqyHWm+6haFZG -Urz7y0ZOAYcX5ZldP8vjm2SyAl0hPlod0ypk2K1igmO8w3cRRFqD27XhztgIJyoi -+BO3umc+BXcpPGoZ7IFaXvHcMVECrxbkrvRdpKiz/4+u8FakQJtBmYuqP2TLodRJ -TKSJ4UvIPXZ8DTEYC/Ja/wrm1hNfH4T3YjWGT++lVbYF7qECAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQRnt9aYXsi/fgMXGVh -ZpTfg8kSYjBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCY2EMqkuhtAls/ -jkjXm+sI5YVglE62itSYgJxKZhxoFn3l4Afc6+XBeftK8Y1IjXdeyQUg8qHhkctl -nBiEzRCClporCOXl5hOzWi+ft2hyKgcx8mFB8Qw5ZE9z8dvY70jdPCB4cH5EVaiC -6ElGcI02iO073iCe38b3rmpwfnkIWZ0FVjSFSsTiNPLXWH6m6tt9Gux/PFuLff4a -cdGfEGs01DEp9t0bHqZd6ESf2rEUljT57i9wSBfT5ULj78VTgudw/WhB0CgiXD+f -q2dZC/19B8Xmk6XmEpRQjFK6wFmfBiQdelJo17/8M4LdT/RfvTHJOxr2OAtvCm2Z -0xafBd5x ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem deleted file mode 100644 index 60e7fdfa9..000000000 --- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEA4eH8EF/1XBRvHchTZm8onKXAJQ/YavjRV6Vx7GuVHU+grefB -msnHF+GHGvF3Htae388OIXZ7LMD1Thw7JLXM+la5G3r08Q5Z/NAlmQN7kLptdkwf -AkZoIzSHwS6CfAjv9eBsSrxT/U8HAh4WHzFLIjDKfw2rIdab7qFoVkZSvPvLRk4B -hxflmV0/y+ObZLICXSE+Wh3TKmTYrWKCY7zDdxFEWoPbteHO2AgnKiL4E7e6Zz4F -dyk8ahnsgVpe8dwxUQKvFuSu9F2kqLP/j67wVqRAm0GZi6o/ZMuh1ElMpInhS8g9 -dnwNMRgL8lr/CubWE18fhPdiNYZP76VVtgXuoQIDAQABAoIBAQCbF5UAkUJgdM9O -fat128DgvZXOXLDV0f261igAkmWR+Ih0n3n5E64VoY4oW77Ud7wiI4KqSzWLpvlH -Jm8dZ45UHJOAYM4pbRcwVKJcC14eI0LhRKbN4xXBhmHnrE1/aIuKIQt5zRFGDarc -M1gxFqFl2mZPEk18MGRkVoLTKfnJMzdHI1m0IAMwg3Rl9cmuVdkhTS+IAoULVNnI -0iAOsFN8SdDaKBqRcPkypT5s4wjGH4s7zjW4PmEDwDhhfeHkVccCuH8n3un1bPT2 -oc73RSXdCYMgDTD3waXC+4cCQGPZmUCl6Mfq7YCECkUpUg6rHlaCYRSZZoQPf5vH -VsBUvjABAoGBAPHSnJOL6tcqJCCZ27E3zIsmZ+d6dX4B/YN1Xk3vKHhavN5Ks6Gx -ZCsaluMuB2qyBRrpKnSAz6lUQ1TOxzuphlVIX1EnLW+JvNgFyem9PARsP2SMsKqm -VaqnId6pprdbP53NpL9Z7AsbS/i/Ab6WpVPyYHdqVsimCdRGK9/JlOnBAoGBAO8g -I4a4dJKiwHBHyP6wkYrhWdYwmjTJlskNNjrvtn7bCJ/Lm0SaGFXKIHCExnenZji0 -bBp3XiFNPlPfjTaXG++3IH6fxYdHonsrkxbUHvGAVETmHVLzeFiAKuUBvrWuKecD -yoywVenugORQIPal3AcLwPsVRfDU89tTQhiFq3zhAoGBAIqmfy/54URM3Tnz/Yq2 -u4htFNYb2JHPAlQFT3TP0xxuqiuqGSR0WUJ9lFXdZlM+jr7HQZha4rXrok9V39XN -dUAgpsYY+GwjRSt25jYmUesXRaGZKRIvHJ8kBL9t9jDbGLaZ2gP8wuH7XKvamF12 -coSXS8gsKGYTDT+wnCdLpR4BAoGAFwuV4Ont8iPVP/zrFgCWRjgpnEba1bOH4KBx -VYS8pcUeM6g/soDXT41HSxDAv89WPqjEslhGrhbvps2oolY1zwhrDUkAlGUG96/f -YRfYU5X2iR1UPiZQttbDS4a7hm7egvEOmDh2TzE5IsfGJX8ekV9Ene4S637acYy4 -lfxr5oECgYEAzRuvh6aG7UmKwNTfatEKav7/gUH3QBGK+Pp3TPSmR5PKh/Pk4py6 -95bT4mHrKCBIfSv/8h+6baYZr9Ha1Oj++J94RXEi8wdjjl1w3LGQrM/X+0AVqn5P -b5w1nvRK7bMikIXbZmPJmivrfChcjD21gvWeF6Osq8McWF8jW2HzrZw= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 8e31be4cb..000000000 --- a/testing/tests/ikev1/ocsp-revoked/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolRevokedKey.pem diff --git a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf deleted file mode 100755 index cd2ab0aca..000000000 --- a/testing/tests/ikev1/ocsp-revoked/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,39 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn net-net - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add - -conn host-host - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add - -conn rw - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/ocsp-revoked/posttest.dat b/testing/tests/ikev1/ocsp-revoked/posttest.dat deleted file mode 100644 index d742e8410..000000000 --- a/testing/tests/ikev1/ocsp-revoked/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/ocsp-revoked/pretest.dat b/testing/tests/ikev1/ocsp-revoked/pretest.dat deleted file mode 100644 index d92333d86..000000000 --- a/testing/tests/ikev1/ocsp-revoked/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/ocsp-revoked/test.conf b/testing/tests/ikev1/ocsp-revoked/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/ocsp-revoked/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/ocsp-strict/description.txt b/testing/tests/ikev1/ocsp-strict/description.txt deleted file mode 100644 index 7cb983140..000000000 --- a/testing/tests/ikev1/ocsp-strict/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on -both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates -the connection and no current revocation information is available, the Main Mode -negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>. -When the second Main Mode trial comes around, the OCSP response will be available -and the IKE negotiation completes. diff --git a/testing/tests/ikev1/ocsp-strict/evaltest.dat b/testing/tests/ikev1/ocsp-strict/evaltest.dat deleted file mode 100644 index 66b27aaac..000000000 --- a/testing/tests/ikev1/ocsp-strict/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::cat /var/log/auth.log::X.509 certificate rejected::YES -carol::cat /var/log/auth.log::X.509 certificate rejected::YES -moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec listocsp:: good::YES -carol::ipsec listocsp:: good::YES diff --git a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf deleted file mode 100755 index c79b1c3e2..000000000 --- a/testing/tests/ikev1/ocsp-strict/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - -conn home - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf deleted file mode 100755 index cd2ab0aca..000000000 --- a/testing/tests/ikev1/ocsp-strict/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,39 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=yes - charonstart=no - -ca strongswan - cacert=strongswanCert.pem - ocspuri=http://ocsp.strongswan.org:8880 - auto=add - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn net-net - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - rightsubnet=10.2.0.0/16 - rightid=@sun.strongswan.org - auto=add - -conn host-host - right=PH_IP_SUN - rightid=@sun.strongswan.org - auto=add - -conn rw - leftsubnet=10.1.0.0/16 - right=%any - auto=add diff --git a/testing/tests/ikev1/ocsp-strict/posttest.dat b/testing/tests/ikev1/ocsp-strict/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/ocsp-strict/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/ocsp-strict/pretest.dat b/testing/tests/ikev1/ocsp-strict/pretest.dat deleted file mode 100644 index d92333d86..000000000 --- a/testing/tests/ikev1/ocsp-strict/pretest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/ocsp-strict/test.conf b/testing/tests/ikev1/ocsp-strict/test.conf deleted file mode 100644 index 2b240d895..000000000 --- a/testing/tests/ikev1/ocsp-strict/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/passthrough/description.txt b/testing/tests/ikev1/passthrough/description.txt deleted file mode 100644 index 145c5b79c..000000000 --- a/testing/tests/ikev1/passthrough/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -All IP traffic from the subnet behind the gateway <b>moon</b> is tunneled -to the gateway <b>sun</b> using the 0.0.0.0/0 network mask. In order -to prevent local subnet traffic from escaping through the tunnel, a -passthrough policy for the 10.1.0.0/16 network is inserted on <b>moon</b>. -A series of internal and external pings verifies the correct -functioning of the setup. diff --git a/testing/tests/ikev1/passthrough/evaltest.dat b/testing/tests/ikev1/passthrough/evaltest.dat deleted file mode 100644 index 942222f08..000000000 --- a/testing/tests/ikev1/passthrough/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES -moon::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 25eec2a3e..000000000 --- a/testing/tests/ikev1/passthrough/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - right=PH_IP_SUN - -conn net-net - rightsubnet=0.0.0.0/0 - rightid=@sun.strongswan.org - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftsourceip=10.1.0.1 - leftfirewall=yes - lefthostaccess=yes - auto=add - -conn pass - rightsubnet=10.1.0.0/16 - type=passthrough - authby=never - auto=route diff --git a/testing/tests/ikev1/passthrough/posttest.dat b/testing/tests/ikev1/passthrough/posttest.dat deleted file mode 100644 index db17f4c65..000000000 --- a/testing/tests/ikev1/passthrough/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::ip route flush table 50 -moon::ip rule del table 50 -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/passthrough/pretest.dat b/testing/tests/ikev1/passthrough/pretest.dat deleted file mode 100644 index 6b5295469..000000000 --- a/testing/tests/ikev1/passthrough/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::iptables -I INPUT -i eth1 -s 10.1.0.0/16 -j ACCEPT -moon::iptables -I OUTPUT -o eth1 -d 10.1.0.0/16 -j ACCEPT -moon::ip rule add pref 50 table 50 -moon::ip route add 192.168.0.254 via PH_IP_MOON table 50 -moon::ip route add 10.1.0.0/16 via PH_IP_MOON1 table 50 -moon::ipsec start -sun::ipsec start -moon::sleep 2 -moon::ipsec up net-net diff --git a/testing/tests/ikev1/passthrough/test.conf b/testing/tests/ikev1/passthrough/test.conf deleted file mode 100644 index d9a61590f..000000000 --- a/testing/tests/ikev1/passthrough/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/protoport-dual/evaltest.dat b/testing/tests/ikev1/protoport-dual/evaltest.dat index 11c34929f..cf45f3b52 100644 --- a/testing/tests/ikev1/protoport-dual/evaltest.dat +++ b/testing/tests/ikev1/protoport-dual/evaltest.dat @@ -1,7 +1,9 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf index 48df689af..37eb67d51 100755..100644 --- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf index c4bfebda1..26c6882f5 100755..100644 --- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/protoport-dual/posttest.dat b/testing/tests/ikev1/protoport-dual/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev1/protoport-dual/posttest.dat +++ b/testing/tests/ikev1/protoport-dual/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/protoport-dual/pretest.dat b/testing/tests/ikev1/protoport-dual/pretest.dat index d3d0061c3..efb2e5712 100644 --- a/testing/tests/ikev1/protoport-dual/pretest.dat +++ b/testing/tests/ikev1/protoport-dual/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev1/protoport-dual/test.conf b/testing/tests/ikev1/protoport-dual/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev1/protoport-dual/test.conf +++ b/testing/tests/ikev1/protoport-dual/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/protoport-pass/description.txt b/testing/tests/ikev1/protoport-pass/description.txt deleted file mode 100644 index 63744fa47..000000000 --- a/testing/tests/ikev1/protoport-pass/description.txt +++ /dev/null @@ -1,13 +0,0 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. -Using the <b>left|rightprotoport</b> selectors, the IPsec tunnel is -restricted to the ICMP protocol. Upon the successful establishment of the -IPsec tunnel, <b>firewall=yes</b> automatically inserts iptables-based -firewall rules that let pass the tunneled ICMP traffic. In order to test -both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind -the gateway <b>moon</b> as well as the inner interface of the gateway. -For the latter ping <b>lefthostaccess=yes</b> is required. -<p> -By default, the native IPsec stack of the Linux 2.6 kernel transmits -protocols and ports not covered by any IPsec SA in the clear. Thus by -selectively opening the firewalls, <b>carol</b> sets up an SSH session to -<b>alice</b> that is not going through the tunnel. diff --git a/testing/tests/ikev1/protoport-pass/evaltest.dat b/testing/tests/ikev1/protoport-pass/evaltest.dat deleted file mode 100644 index 11c34929f..000000000 --- a/testing/tests/ikev1/protoport-pass/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf deleted file mode 100755 index aae781b69..000000000 --- a/testing/tests/ikev1/protoport-pass/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home-icmp - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftcert=carolCert.pem - leftprotoport=icmp - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightprotoport=icmp - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 7b80a299e..000000000 --- a/testing/tests/ikev1/protoport-pass/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw-icmp - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftprotoport=icmp - leftid=@moon.strongswan.org - leftcert=moonCert.pem - leftfirewall=yes - lefthostaccess=yes - right=%any - rightprotoport=icmp - auto=add diff --git a/testing/tests/ikev1/protoport-pass/posttest.dat b/testing/tests/ikev1/protoport-pass/posttest.dat deleted file mode 100644 index d6f014882..000000000 --- a/testing/tests/ikev1/protoport-pass/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -carol::ip route del 10.1.0.0/16 via PH_IP_MOON -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/protoport-pass/pretest.dat b/testing/tests/ikev1/protoport-pass/pretest.dat deleted file mode 100644 index 37f545062..000000000 --- a/testing/tests/ikev1/protoport-pass/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT -moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT -carol::/etc/init.d/iptables start 2> /dev/null -carol::iptables -I INPUT -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT -carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT -carol::ip route add 10.1.0.0/16 via PH_IP_MOON -moon::ipsec start -carol::ipsec start -carol::sleep 2 -carol::ipsec up home-icmp diff --git a/testing/tests/ikev1/protoport-pass/test.conf b/testing/tests/ikev1/protoport-pass/test.conf deleted file mode 100644 index 9cd583b16..000000000 --- a/testing/tests/ikev1/protoport-pass/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/protoport-route/description.txt b/testing/tests/ikev1/protoport-route/description.txt deleted file mode 100644 index ec7ec69b0..000000000 --- a/testing/tests/ikev1/protoport-route/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels -between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are -defined. The first IPsec SA is restricted to ICMP packets and the second -covers TCP-based SSH connections. Using <b>add=route</b> %trap -eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending -a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute -is triggered and the corresponding IPsec tunnel is set up. In the same -way an ssh session to <b>alice</b> over the second IPsec SA is established. diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat deleted file mode 100644 index b266d86d8..000000000 --- a/testing/tests/ikev1/protoport-route/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES -carol::ssh PH_IP_ALICE hostname::alice::YES -carol::cat /var/log/auth.log::initiate on demand::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 2bb557410..000000000 --- a/testing/tests/ikev1/protoport-route/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=route - -conn home-icmp - leftprotoport=icmp - rightprotoport=icmp - -conn home-ssh - leftprotoport=tcp - rightprotoport=tcp/ssh diff --git a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf deleted file mode 100755 index c4bfebda1..000000000 --- a/testing/tests/ikev1/protoport-route/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - leftsubnet=10.1.0.0/16 - right=%any - auto=add - -conn rw-icmp - lefthostaccess=yes - leftprotoport=icmp - rightprotoport=icmp - -conn rw-ssh - leftprotoport=tcp/ssh - rightprotoport=tcp diff --git a/testing/tests/ikev1/protoport-route/posttest.dat b/testing/tests/ikev1/protoport-route/posttest.dat deleted file mode 100644 index 94a400606..000000000 --- a/testing/tests/ikev1/protoport-route/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat deleted file mode 100644 index d52aeaeb8..000000000 --- a/testing/tests/ikev1/protoport-route/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -carol::ipsec start -carol::sleep 3 -carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname -carol::ping -c 1 PH_IP_MOON1 > /dev/null -carol::sleep 2 diff --git a/testing/tests/ikev1/protoport-route/test.conf b/testing/tests/ikev1/protoport-route/test.conf deleted file mode 100644 index 9cd583b16..000000000 --- a/testing/tests/ikev1/protoport-route/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/req-pkcs10/description.txt b/testing/tests/ikev1/req-pkcs10/description.txt deleted file mode 100644 index a958cb8e8..000000000 --- a/testing/tests/ikev1/req-pkcs10/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -Both the roadwarrior <b>carol</b> and the gateway <b>moon</b> generate a -PKCS#1 RSA private key and a PKCS#10 certificate request using the -<b>ipsec scepclient</b> function. Because the UML testing environment -does not offer enough entropy, the non-blocking /dev/urandom device is -used in place of /dev/random for generating the random primes. -<p> -The certificate requests are copied to <b>winnetou</b> where a certification -authority based on OpenSSL issues X.509 certificates by verifying and -signing the PCKS#10 requests. The certificates are then copied back to -the corresponding hosts and used to set up a road warrior connection -initiated by <b>carol</b> diff --git a/testing/tests/ikev1/req-pkcs10/evaltest.dat b/testing/tests/ikev1/req-pkcs10/evaltest.dat deleted file mode 100644 index c7657801e..000000000 --- a/testing/tests/ikev1/req-pkcs10/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 7c2bb3a98..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=myCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add - - - - diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 167d743df..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA myKey.der diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf deleted file mode 100644 index 6afd3fa11..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/scepclient.conf +++ /dev/null @@ -1,3 +0,0 @@ ---debug-control ---out pkcs1 ---out pkcs10 diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf deleted file mode 100644 index e589a9425..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index b9ec17dbc..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.der diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf deleted file mode 100644 index da8177348..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/scepclient.conf +++ /dev/null @@ -1,4 +0,0 @@ ---debug-control ---keylength 2064 ---out pkcs1=moonKey.der ---out pkcs10=moonReq.der diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf deleted file mode 100644 index e589a9425..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt deleted file mode 100644 index 9b48ee4cf..000000000 --- a/testing/tests/ikev1/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt +++ /dev/null @@ -1,2 +0,0 @@ -y -y diff --git a/testing/tests/ikev1/req-pkcs10/posttest.dat b/testing/tests/ikev1/req-pkcs10/posttest.dat deleted file mode 100644 index 933b4b6c4..000000000 --- a/testing/tests/ikev1/req-pkcs10/posttest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/reqs/* -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/reqs/* -winnetou::rm /etc/openssl/carol* -winnetou::rm /etc/openssl/moon* diff --git a/testing/tests/ikev1/req-pkcs10/pretest.dat b/testing/tests/ikev1/req-pkcs10/pretest.dat deleted file mode 100644 index cb4355efa..000000000 --- a/testing/tests/ikev1/req-pkcs10/pretest.dat +++ /dev/null @@ -1,23 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -carol::cat /etc/scepclient.conf -carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf -winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der -winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem -winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt -winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* -moon::cat /etc/scepclient.conf -moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf -winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/ -winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem -winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt -winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/ -carol::sleep 2 -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/req-pkcs10/test.conf b/testing/tests/ikev1/req-pkcs10/test.conf deleted file mode 100644 index 9cd583b16..000000000 --- a/testing/tests/ikev1/req-pkcs10/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-cert-aggressive/description.txt b/testing/tests/ikev1/rw-cert-aggressive/description.txt new file mode 100644 index 000000000..1c4535c23 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication is +based on <b>X.509 certificates</b>. Upon the successful establishment of the IPsec +tunnels, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall +rules that let pass the tunneled traffic. In order to test both tunnel and +firewall, both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind +the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat new file mode 100644 index 000000000..ba661975b --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/evaltest.dat @@ -0,0 +1,15 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..77ed2c0c9 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="job 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + aggressive=yes + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c032d8291 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf index 726998e19..82a8f38c5 100755..100644 --- a/testing/tests/ikev1/starter-includes/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/ipsec.conf @@ -1,10 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no + charondebug="job 2" conn %default ikelifetime=60m @@ -12,18 +9,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + aggressive=yes conn home left=PH_IP_DAVE - leftsourceip=%modeconfig leftcert=daveCert.pem leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON - rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 auto=add - - - - diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c032d8291 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf index f0dbeb323..49d0909a5 100755..100644 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -10,6 +8,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + aggressive=yes conn rw left=PH_IP_MOON diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c032d8291 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-cert-aggressive/posttest.dat b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-cert-aggressive/pretest.dat b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat new file mode 100644 index 000000000..8bbea1412 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/rw-cert-aggressive/test.conf b/testing/tests/ikev1/rw-cert-aggressive/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-aggressive/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-cert-unity/description.txt b/testing/tests/ikev1/rw-cert-unity/description.txt new file mode 100644 index 000000000..5e887c7f4 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/description.txt @@ -0,0 +1,6 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +The authentication is based on <b>X.509 certificates</b>. <b>carol</b> +requests a virtual IP using <b>leftsourceip=%config</b> and indicates +support for the Cisco Unity extension. Gateway <b>moon</b> responds with +two Split-Include subnets configured in the <b>leftsubnet</b> definition and a +global Local-LAN exclude option defined in strongswan.conf. diff --git a/testing/tests/ikev1/rw-cert-unity/evaltest.dat b/testing/tests/ikev1/rw-cert-unity/evaltest.dat new file mode 100644 index 000000000..c183f48e9 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::10.2.1.1/32 === 192.168.0.0/24 PASS::YES +carol::ipsec status 2> /dev/null::home.*10.2.1.1/32 === 10.1.0.0/16 10.2.1.0/24::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 10.2.1.0/24 === 10.2.1.1/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf index 99a8c60ff..bad62811b 100755..100644 --- a/testing/tests/ikev1/ip-two-pools/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m @@ -15,10 +11,10 @@ conn %default conn home left=PH_IP_CAROL - leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org - leftfirewall=yes + leftsourceip=%config right=PH_IP_MOON rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0 auto=add diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..14e061408 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default unity + cisco_unity = yes +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..ee8ee9093 --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16,10.2.1.0/24 + right=%any + rightsourceip=10.2.1.0/24 + auto=add diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cbc51d38c --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity + cisco_unity = yes + plugins { + attr { + split-exclude = 192.168.0.0/24 + } + } +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/crl-strict/posttest.dat b/testing/tests/ikev1/rw-cert-unity/posttest.dat index c6d6235f9..c6d6235f9 100644 --- a/testing/tests/ikev1/crl-strict/posttest.dat +++ b/testing/tests/ikev1/rw-cert-unity/posttest.dat diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat b/testing/tests/ikev1/rw-cert-unity/pretest.dat index 89e487ad3..4fbe475bf 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/pretest.dat +++ b/testing/tests/ikev1/rw-cert-unity/pretest.dat @@ -1,5 +1,4 @@ -carol::ipsec start moon::ipsec start -carol::sleep 2 -carol::ipsec up home +carol::ipsec start carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-cert-unity/test.conf b/testing/tests/ikev1/rw-cert-unity/test.conf new file mode 100644 index 000000000..09e6f6cdb --- /dev/null +++ b/testing/tests/ikev1/rw-cert-unity/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-cert/description.txt b/testing/tests/ikev1/rw-cert/description.txt index 8df6b1c0d..15b3822b5 100644 --- a/testing/tests/ikev1/rw-cert/description.txt +++ b/testing/tests/ikev1/rw-cert/description.txt @@ -1,6 +1,6 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. -The authentication is based on <b>X.509 certificates</b>. Upon the successful -establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, <b>carol</b> pings the client -<b>alice</b> behind the gateway <b>moon</b>. +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/rw-cert/evaltest.dat b/testing/tests/ikev1/rw-cert/evaltest.dat index c7657801e..ba661975b 100644 --- a/testing/tests/ikev1/rw-cert/evaltest.dat +++ b/testing/tests/ikev1/rw-cert/evaltest.dat @@ -1,5 +1,15 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..58914391c --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf index 7403971e9..8822cae64 100644 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no integrity_test = yes diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf index e10e9d45c..150c63bc7 100755..100644 --- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - strictcrlpolicy=no - crlcheckinterval=180 - charonstart=no conn %default ikelifetime=60m @@ -15,7 +11,7 @@ conn %default conn home left=PH_IP_DAVE - leftcert=daveCert-sha512.pem + leftcert=daveCert.pem leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..8822cae64 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf index 991ae4368..5cf82c6b8 100755..100644 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 7403971e9..8822cae64 100644 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no integrity_test = yes diff --git a/testing/tests/ikev1/rw-cert/posttest.dat b/testing/tests/ikev1/rw-cert/posttest.dat index 94a400606..1865a1c60 100644 --- a/testing/tests/ikev1/rw-cert/posttest.dat +++ b/testing/tests/ikev1/rw-cert/posttest.dat @@ -1,4 +1,6 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-cert/pretest.dat b/testing/tests/ikev1/rw-cert/pretest.dat index 4fe0ee90b..8bbea1412 100644 --- a/testing/tests/ikev1/rw-cert/pretest.dat +++ b/testing/tests/ikev1/rw-cert/pretest.dat @@ -1,6 +1,9 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start -carol::sleep 2 +carol::ipsec start +dave::ipsec start +carol::sleep 1 carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/rw-cert/test.conf b/testing/tests/ikev1/rw-cert/test.conf index 9cd583b16..f29298850 100644 --- a/testing/tests/ikev1/rw-cert/test.conf +++ b/testing/tests/ikev1/rw-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-initiator-only/description.txt b/testing/tests/ikev1/rw-initiator-only/description.txt new file mode 100644 index 000000000..478004162 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/description.txt @@ -0,0 +1,10 @@ +The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b> +but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b> +she ignores the repeated IKE requests sent by <b>dave</b>. +<p/> +After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a +connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/rw-initiator-only/evaltest.dat b/testing/tests/ikev1/rw-initiator-only/evaltest.dat new file mode 100644 index 000000000..80fd7c5be --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/evaltest.dat @@ -0,0 +1,8 @@ +dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..58914391c --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc900c4f2 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + initiator_only = yes +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..b262ecbea --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn peer + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..9251921ff --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + retransmit_timeout = 2 + retransmit_base = 1.5 + retransmit_tries = 3 +} diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4c5df8825 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekey=no + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7f31b170b --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-initiator-only/posttest.dat b/testing/tests/ikev1/rw-initiator-only/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-initiator-only/pretest.dat b/testing/tests/ikev1/rw-initiator-only/pretest.dat new file mode 100644 index 000000000..fc7173430 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up peer +carol::ipsec up home diff --git a/testing/tests/ikev1/rw-initiator-only/test.conf b/testing/tests/ikev1/rw-initiator-only/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev1/rw-initiator-only/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-mark-in-out/description.txt b/testing/tests/ikev1/rw-mark-in-out/description.txt deleted file mode 100644 index 4c35081b1..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/description.txt +++ /dev/null @@ -1,16 +0,0 @@ -The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up -tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet, -gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 -and 10.3.0.20, respectively. -<p/> -In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, -<b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using -the <b>mark_in</b> and <b>mark_out</b> parameters in ipsec.conf. -<p/> -<b>iptables -t mangle</b> rules are then used in the PREROUTING chain to mark the traffic to -and from <b>alice</b> and <b>venus</b>, respectively. -<p/> -The script designated by <b>leftupdown=/etc/mark_updown</b> automatically inserts -iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules -that let pass the tunneled traffic. In order to test the tunnel, the hosts <b>alice</b> -and <b>venus</b> ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat b/testing/tests/ikev1/rw-mark-in-out/evaltest.dat deleted file mode 100644 index 168b3dfb9..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -alice::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -venus::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -sun::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES -sun::ipsec status::alice.*alice@strongswan.org::YES -sun::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES -sun::ipsec status::venus.*venus.strongswan.org::YES -sun::ipsec statusall::alice.*10.2.0.0/16===.*===10.1.0.0/25::YES -sun::ipsec statusall::venus.*10.2.0.0/16===.*===10.1.0.0/25::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES -moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES -moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES -moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES -bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 5594bbf52..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,77 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf deleted file mode 100755 index 4256006c0..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf deleted file mode 100755 index 83fe9eed2..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,37 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn alice - rightid=alice@strongswan.org - mark_in=10/0xffffffff - mark_out=11/0xffffffff - also=sun - auto=add - -conn venus - rightid=@venus.strongswan.org - mark_in=20 #0xffffffff is used by default - mark_out=21 #0xffffffff is used by default - also=sun - auto=add - -conn sun - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftupdown=/etc/mark_updown - right=%any - rightsubnet=10.1.0.0/25 diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown deleted file mode 100755 index 0d22e684d..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/hosts/sun/etc/mark_updown +++ /dev/null @@ -1,527 +0,0 @@ -#! /bin/sh -# updown script setting inbound marks on ESP traffic in the mangle chain -# -# Copyright (C) 2003-2004 Nigel Meteringham -# Copyright (C) 2003-2004 Tuomo Soini -# Copyright (C) 2002-2004 Michael Richardson -# Copyright (C) 2005-2010 Andreas Steffen <andreas.steffen@strongswan.org> -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# CAUTION: Installing a new version of strongSwan will install a new -# copy of this script, wiping out any custom changes you make. If -# you need changes, make a copy of this under another name, and customize -# that, and use the (left/right)updown parameters in ipsec.conf to make -# strongSwan use yours instead of this default one. - -# things that this script gets (from ipsec_pluto(8) man page) -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the ESP policy -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. -# -# PLUTO_XAUTH_ID -# is an optional user ID employed by the XAUTH protocol -# -# PLUTO_MARK_IN -# is an optional XFRM mark set on the inbound IPsec SA -# -# PLUTO_MARK_OUT -# is an optional XFRM mark set on the outbound IPsec SA -# -# PLUTO_UDP_ENC -# contains the remote UDP port in the case of ESP_IN_UDP -# encapsulation -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" -export PATH - -# uncomment to log VPN connections -VPN_LOGGING=1 -# -# tag put in front of each log entry: -TAG=vpn -# -# syslog facility and priority used: -FAC_PRIO=local0.notice -# -# to create a special vpn logging file, put the following line into -# the syslog configuration file /etc/syslog.conf: -# -# local0.notice -/var/log/vpn - -# in order to use source IP routing the Linux kernel options -# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES -# must be enabled -# -# special routing table for sourceip routes -SOURCEIP_ROUTING_TABLE=220 -# -# priority of the sourceip routing table -SOURCEIP_ROUTING_TABLE_PRIO=220 - -# check interface version -case "$PLUTO_VERSION" in -1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. - echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 - echo "$0: called by obsolete Pluto?" >&2 - exit 2 - ;; -1.*) ;; -*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 - exit 2 - ;; -esac - -# check parameter(s) -case "$1:$*" in -':') # no parameters - ;; -iptables:iptables) # due to (left/right)firewall; for default script only - ;; -custom:*) # custom parameters (see above CAUTION comment) - ;; -*) echo "$0: unknown parameters \`$*'" >&2 - exit 2 - ;; -esac - -# utility functions for route manipulation -# Meddling with this stuff should not be necessary and requires great care. -uproute() { - doroute add - ip route flush cache -} -downroute() { - doroute delete - ip route flush cache -} - -addsource() { - st=0 - if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local - then - it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: addsource \`$it' failed ($oops)" >&2 - fi - fi - return $st -} - -doroute() { - st=0 - - if [ -z "$PLUTO_MY_SOURCEIP" ] - then - for dir in /etc/sysconfig /etc/conf.d; do - if [ -f "$dir/defaultsource" ] - then - . "$dir/defaultsource" - fi - done - - if [ -n "$DEFAULTSOURCE" ] - then - PLUTO_MY_SOURCEIP=$DEFAULTSOURCE - fi - fi - - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # leave because no route entry is required - return $st - fi - - parms1="$PLUTO_PEER_CLIENT" - - if [ -n "$PLUTO_NEXT_HOP" ] - then - parms2="via $PLUTO_NEXT_HOP" - else - parms2="via $PLUTO_PEER" - fi - parms2="$parms2 dev $PLUTO_INTERFACE" - - parms3= - if [ -n "$PLUTO_MY_SOURCEIP" ] - then - if test "$1" = "add" - then - addsource - if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" - then - ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE - fi - fi - parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" - fi - - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # opportunistic encryption work around - # need to provide route that eclipses default, without - # replacing it. - it="ip route $1 0.0.0.0/1 $parms2 $parms3 && - ip route $1 128.0.0.0/1 $parms2 $parms3" - ;; - *) it="ip route $1 $parms1 $parms2 $parms3" - ;; - esac - oops="`eval $it 2>&1`" - st=$? - if test " $oops" = " " -a " $st" != " 0" - then - oops="silent error, exit status $st" - fi - if test " $oops" != " " -o " $st" != " 0" - then - echo "$0: doroute \`$it' failed ($oops)" >&2 - fi - return $st -} - -# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY -if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] -then - KLIPS=1 - IPSEC_POLICY_IN="" - IPSEC_POLICY_OUT="" -else - KLIPS= - IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" - IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" - IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" -fi - -# is there an inbound mark to be set? -if [ -n "$PLUTO_MARK_IN" ] -then - if [ -n "$PLUTO_UDP_ENC" ] - then - SET_MARK="-p udp --sport $PLUTO_UDP_ENC" - else - SET_MARK="-p esp" - fi - SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" -fi - -# are there port numbers? -if [ "$PLUTO_MY_PORT" != 0 ] -then - S_MY_PORT="--sport $PLUTO_MY_PORT" - D_MY_PORT="--dport $PLUTO_MY_PORT" -fi -if [ "$PLUTO_PEER_PORT" != 0 ] -then - S_PEER_PORT="--sport $PLUTO_PEER_PORT" - D_PEER_PORT="--dport $PLUTO_PEER_PORT" -fi - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -# the big choice -case "$PLUTO_VERB:$1" in -prepare-host:*|prepare-client:*) - if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] - then - # exit because no route will be added, - # so that existing routes can stay - exit 0 - fi - - # delete possibly-existing route (preliminary to adding a route) - case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in - "0.0.0.0/0.0.0.0") - # need to provide route that eclipses default, without - # replacing it. - parms1="0.0.0.0/1" - parms2="128.0.0.0/1" - it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" - oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" - ;; - *) - parms="$PLUTO_PEER_CLIENT" - it="ip route delete $parms 2>&1" - oops="`ip route delete $parms 2>&1`" - ;; - esac - status="$?" - if test " $oops" = " " -a " $status" != " 0" - then - oops="silent error, exit status $status" - fi - case "$oops" in - *'RTNETLINK answers: No such process'*) - # This is what route (currently -- not documented!) gives - # for "could not find such a route". - oops= - status=0 - ;; - esac - if test " $oops" != " " -o " $status" != " 0" - then - echo "$0: \`$it' failed ($oops)" >&2 - fi - exit $status - ;; -route-host:*|route-client:*) - # connection to me or my client subnet being routed - uproute - ;; -unroute-host:*|unroute-client:*) - # connection to me or my client subnet being unrouted - downroute - ;; -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # log IPsec host connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT - # - # log IPsec host connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" - fi - fi - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -A PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT - iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # log IPsec client connection setup - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO \ - "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - if [ -n "$PLUTO_MARK_IN" ] - then - iptables -t mangle -D PREROUTING $SET_MARK - fi - if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] - then - iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - fi - # - # a virtual IP requires an INPUT and OUTPUT rule on the host - # or sometimes host access via the internal IP is needed - if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] - then - iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ - -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ - -d $PLUTO_MY_CLIENT $D_MY_PORT \ - $IPSEC_POLICY_IN -j ACCEPT - iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ - -s $PLUTO_MY_CLIENT $S_MY_PORT \ - -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ - $IPSEC_POLICY_OUT -j ACCEPT - fi - # - # log IPsec client connection teardown - if [ $VPN_LOGGING ] - then - if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] - then - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - else - logger -t $TAG -p $FAC_PRIO -- \ - "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" - fi - fi - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables deleted file mode 100755 index 5594bbf52..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/init.d/iptables +++ /dev/null @@ -1,77 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf deleted file mode 100755 index e7561ebbe..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=%defaultroute - leftsubnet=10.1.0.0/25 - leftcert=venusCert.pem - leftid=@venus.strongswan.org - leftfirewall=yes - lefthostaccess=yes - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ikev1/rw-mark-in-out/posttest.dat b/testing/tests/ikev1/rw-mark-in-out/posttest.dat deleted file mode 100644 index fae79271b..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/posttest.dat +++ /dev/null @@ -1,12 +0,0 @@ -sun::iptables -t mangle -v -n -L PREROUTING -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -sun::ip route del 10.1.0.0/16 via PH_IP_MOON -sun::conntrack -F -sun::rm /etc/mark_updown -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev1/rw-mark-in-out/pretest.dat b/testing/tests/ikev1/rw-mark-in-out/pretest.dat deleted file mode 100644 index 427e5c67f..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/pretest.dat +++ /dev/null @@ -1,18 +0,0 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON -sun::ip route add 10.1.0.0/16 via PH_IP_MOON -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21 -alice::ipsec start -venus::ipsec start -sun::ipsec start -alice::sleep 2 -alice::ipsec up home -venus::sleep 2 -venus::ipsec up home -venus::sleep 2 diff --git a/testing/tests/ikev1/rw-mark-in-out/test.conf b/testing/tests/ikev1/rw-mark-in-out/test.conf deleted file mode 100644 index ae3c190b8..000000000 --- a/testing/tests/ikev1/rw-mark-in-out/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon bob" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev1/rw-psk-aggressive/description.txt b/testing/tests/ikev1/rw-psk-aggressive/description.txt new file mode 100644 index 000000000..32a476ee8 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b> using <b>IKEv1 Aggressive Mode</b>. The authentication +is based on distinct <b>pre-shared keys</b> and <b>Fully Qualified Domain Names</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the +client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat new file mode 100644 index 000000000..2342d024b --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/evaltest.dat @@ -0,0 +1,14 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf index c040fe88f..fe086b8d5 100755..100644 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -10,13 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + authby=secret + aggressive=yes conn home - authby=secret left=PH_IP_CAROL leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON - rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org auto=add diff --git a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets index fac55d63b..47e31ca21 100644 --- a/testing/tests/ikev1/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolKey.pem +carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..d84cba2b0 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf index ffa211299..df2887263 100755..100644 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -11,10 +9,11 @@ conn %default keyingtries=1 keyexchange=ikev1 authby=secret + aggressive=yes conn home - left=PH_IP_CAROL - leftid=@carol.strongswan.org + left=PH_IP_DAVE + leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..f6c1a22ef --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d84cba2b0 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf index dbd3adb4c..cb8a0cd78 100755..100644 --- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control conn %default ikelifetime=60m @@ -9,12 +8,13 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - -conn rw-psk authby=secret + aggressive=yes + +conn rw left=PH_IP_MOON - leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org leftfirewall=yes right=%any auto=add diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e3dd0fba3 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + +@moon.strongswan.org dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..708a71c7e --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown + + i_dont_care_about_security_and_use_aggressive_mode_psk = yes +} diff --git a/testing/tests/ikev1/rw-psk-aggressive/posttest.dat b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat index 95a6be131..44f41f995 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat +++ b/testing/tests/ikev1/rw-psk-aggressive/pretest.dat @@ -1,12 +1,12 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start carol::ipsec start dave::ipsec start +moon::ipsec start carol::sleep 2 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-aggressive/test.conf b/testing/tests/ikev1/rw-psk-aggressive/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-aggressive/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/description.txt b/testing/tests/ikev1/rw-psk-fqdn-named/description.txt deleted file mode 100644 index adfab2f4d..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is -based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the -tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind -the gateway <b>moon</b>. -<p> -The significant difference between this scenario and the test -<a href="../rw-psk-fqdn"><b>rw-psk-fqdn</b></a> -is the additional line <b>rightid=@carol.strongswan.org</b> by which gateway -<b>moon</b> restricts the roadwarrior connection to host <b>carol</b>. -</p> diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat deleted file mode 100644 index c7657801e..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index db3884e57..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 453cdc07c..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 5f7cdedd2..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=secret - -conn rw-carol - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - leftfirewall=yes - right=%any - rightid=@carol.strongswan.org - auto=add diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 6281340ae..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 453cdc07c..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat deleted file mode 100644 index 94a400606..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat deleted file mode 100644 index dbf03f552..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/pretest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/test.conf b/testing/tests/ikev1/rw-psk-fqdn-named/test.conf deleted file mode 100644 index 9cd583b16..000000000 --- a/testing/tests/ikev1/rw-psk-fqdn-named/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-psk-fqdn/description.txt b/testing/tests/ikev1/rw-psk-fqdn/description.txt index d6c79afb2..47f6968ae 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/description.txt +++ b/testing/tests/ikev1/rw-psk-fqdn/description.txt @@ -1,5 +1,6 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is -based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the -tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind -the gateway <b>moon</b>. +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> +and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels, +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat index c7657801e..77f548848 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/evaltest.dat @@ -1,5 +1,14 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf index ffa211299..936a75401 100755..100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -14,7 +12,7 @@ conn %default conn home left=PH_IP_CAROL - leftid=@carol.strongswan.org + leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets index db3884e57..47e31ca21 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets @@ -1,7 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - +carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf index 453cdc07c..d84cba2b0 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..45cdd3eca --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..f6c1a22ef --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d84cba2b0 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf index efec3b33d..63bdd6bb8 100755..100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -11,11 +9,21 @@ conn %default keyingtries=1 keyexchange=ikev1 authby=secret + +conn rw-carol + also=rw + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add + +conn rw-dave + also=rw + right=PH_IP_DAVE + rightid=dave@strongswan.org + auto=add conn rw left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets index 661168fb5..e3dd0fba3 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets @@ -1,3 +1,5 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL +@moon.strongswan.org carol@strongswan.org : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx + +@moon.strongswan.org dave@strongswan.org : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf index 453cdc07c..d84cba2b0 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat index 94a400606..1865a1c60 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/posttest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/posttest.dat @@ -1,4 +1,6 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat index dbf03f552..44f41f995 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev1/rw-psk-fqdn/pretest.dat @@ -1,8 +1,12 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start +dave::ipsec start moon::ipsec start carol::sleep 2 carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-fqdn/test.conf b/testing/tests/ikev1/rw-psk-fqdn/test.conf index 9cd583b16..f29298850 100644 --- a/testing/tests/ikev1/rw-psk-fqdn/test.conf +++ b/testing/tests/ikev1/rw-psk-fqdn/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-psk-ipv4/description.txt b/testing/tests/ikev1/rw-psk-ipv4/description.txt index b3a0bc192..b4aaa6a6a 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/description.txt +++ b/testing/tests/ikev1/rw-psk-ipv4/description.txt @@ -1,5 +1,6 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is -based on <b>Preshared Keys</b> (PSK) and <b>IPv4 addresses</b> (ID_IPV4_ADDR). -<b>firewall=yes</b> automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> -behind the gateway <b>moon</b>. +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> +and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels, +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test both tunnel and firewall, both +<b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat index c7657801e..df37719e9 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/evaltest.dat @@ -1,5 +1,14 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*\[192.168.0.1]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*\[192.168.0.1]::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.100]::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*\[192.168.0.1].*\[192.168.0.200]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf index 0d2a5d2c4..3214ace92 100755..100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets index 69313b289..18a074472 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets @@ -1,7 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - +192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 453cdc07c..d84cba2b0 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..f59de5f72 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.conf @@ -0,0 +1,18 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + authby=secret + +conn home + left=PH_IP_DAVE + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets index fac55d63b..a048cb5f2 100644 --- a/testing/tests/ikev1/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolKey.pem +192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d84cba2b0 --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf index 41582eaef..b6bb51c0c 100755..100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -11,10 +9,18 @@ conn %default keyingtries=1 keyexchange=ikev1 authby=secret + +conn rw-carol + also=rw + right=PH_IP_CAROL + auto=add + +conn rw-dave + also=rw + right=PH_IP_DAVE + auto=add conn rw left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets index a8e367950..55c639704 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets @@ -1,7 +1,5 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - +192.168.0.1 192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx +192.168.0.1 192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 453cdc07c..d84cba2b0 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -1,11 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat index 94a400606..1865a1c60 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/posttest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/posttest.dat @@ -1,4 +1,6 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat index dbf03f552..44f41f995 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev1/rw-psk-ipv4/pretest.dat @@ -1,8 +1,12 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* carol::ipsec start +dave::ipsec start moon::ipsec start carol::sleep 2 carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-ipv4/test.conf b/testing/tests/ikev1/rw-psk-ipv4/test.conf index 9cd583b16..f29298850 100644 --- a/testing/tests/ikev1/rw-psk-ipv4/test.conf +++ b/testing/tests/ikev1/rw-psk-ipv4/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-psk-no-policy/description.txt b/testing/tests/ikev1/rw-psk-no-policy/description.txt deleted file mode 100644 index 0e359414f..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using -<b>PSK</b>-based authentication. Since <b>moon</b> supports <b>RSASIG</b>-based -authentication only, the connection setup fails. diff --git a/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat b/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat deleted file mode 100644 index a28377dbd..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -moon::cat /var/log/auth.log::peer requests PSK authentication::YES -moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES -moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO - diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 1b721dc58..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 453cdc07c..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 453cdc07c..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/rw-psk-no-policy/posttest.dat b/testing/tests/ikev1/rw-psk-no-policy/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/rw-psk-no-policy/pretest.dat b/testing/tests/ikev1/rw-psk-no-policy/pretest.dat deleted file mode 100644 index 3a7804ddd..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::rm /etc/ipsec.d/cacerts/* -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-no-policy/test.conf b/testing/tests/ikev1/rw-psk-no-policy/test.conf deleted file mode 100644 index f622c18b7..000000000 --- a/testing/tests/ikev1/rw-psk-no-policy/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt b/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt deleted file mode 100644 index b99a8e5b3..000000000 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>. -<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s -is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes -and automatically selects the correct roadwarrior connection definition based on policy -information gained from pre-parsing the peers' ISAKMP proposal payload. diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat deleted file mode 100644 index 5ab6632cc..000000000 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::cat /var/log/auth.log::peer requests PSK authentication::YES -moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES -moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES - diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 1b721dc58..000000000 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - - - - diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index fd33507a7..000000000 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -: RSA moonKey.pem diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat deleted file mode 100644 index ed530f6d9..000000000 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat deleted file mode 100644 index 35797b589..000000000 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::rm /etc/ipsec.d/cacerts/* -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf deleted file mode 100644 index 699b88e88..000000000 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol dave winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/rw-rsa-no-policy/description.txt b/testing/tests/ikev1/rw-rsa-no-policy/description.txt deleted file mode 100644 index c3336b769..000000000 --- a/testing/tests/ikev1/rw-rsa-no-policy/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using -<b>RSASIG</b>-based authentication. Since <b>moon</b> supports <b>PSK</b>-based -authentication only, the connection setup fails. diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat deleted file mode 100644 index 849ae5d66..000000000 --- a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES -moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES -moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO - diff --git a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e8c151f05..000000000 --- a/testing/tests/ikev1/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat b/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/rw-rsa-no-policy/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat b/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat deleted file mode 100644 index 0d2a0dd1f..000000000 --- a/testing/tests/ikev1/rw-rsa-no-policy/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::rm /etc/ipsec.d/cacerts/* -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/rw-rsa-no-policy/test.conf b/testing/tests/ikev1/rw-rsa-no-policy/test.conf deleted file mode 100644 index f622c18b7..000000000 --- a/testing/tests/ikev1/rw-rsa-no-policy/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/self-signed/description.txt b/testing/tests/ikev1/self-signed/description.txt deleted file mode 100644 index 2d7bfc2bf..000000000 --- a/testing/tests/ikev1/self-signed/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -Roadwarrior <b>carol</b> and gateway <b>moon</b> each generate a -PKCS#1 RSA private key and a self-signed X.509 certificate -using the <b>ipsec scepclient</b> function. Because the UML testing -environment does not offer enough entropy, the non-blocking /dev/urandom -device is used in place of /dev/random for generating the random primes. -<p> -The self-signed certificates are then distributed to the peers via scp -and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/ikev1/self-signed/evaltest.dat b/testing/tests/ikev1/self-signed/evaltest.dat deleted file mode 100644 index f190d7066..000000000 --- a/testing/tests/ikev1/self-signed/evaltest.dat +++ /dev/null @@ -1,7 +0,0 @@ -carol::cat /var/log/auth.log::we have a cert but are not sending it::YES -moon::cat /var/log/auth.log::we have a cert but are not sending it::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf deleted file mode 100755 index f6859b8a4..000000000 --- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=0 - strictcrlpolicy=no - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=selfCert.der - leftsendcert=never - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightcert=peerCert.der - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 167d743df..000000000 --- a/testing/tests/ikev1/self-signed/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA myKey.der diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf deleted file mode 100644 index e589a9425..000000000 --- a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 13ad3063f..000000000 --- a/testing/tests/ikev1/self-signed/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A INPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf deleted file mode 100755 index f14352bf8..000000000 --- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,27 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=0 - strictcrlpolicy=no - nocrsend=yes - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn carol - left=PH_IP_MOON - leftcert=moonCert.der - leftid=@moon.strongswan.org - leftsendcert=never - leftfirewall=yes - leftsubnet=10.1.0.0/16 - right=%any - rightcert=carolCert.der - auto=add - diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index b9ec17dbc..000000000 --- a/testing/tests/ikev1/self-signed/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.der diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf deleted file mode 100644 index b84f3e131..000000000 --- a/testing/tests/ikev1/self-signed/hosts/moon/etc/scepclient.conf +++ /dev/null @@ -1,6 +0,0 @@ ---debug-control ---keylength 2032 ---days 1460 ---subjectAltName dns=moon.strongswan.org ---out pkcs1=moonKey.der ---out cert-self=moonCert.der diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf deleted file mode 100644 index e589a9425..000000000 --- a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,15 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl kernel-netlink -} - -scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/self-signed/posttest.dat b/testing/tests/ikev1/self-signed/posttest.dat deleted file mode 100644 index 8cada5e7e..000000000 --- a/testing/tests/ikev1/self-signed/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/self-signed/pretest.dat b/testing/tests/ikev1/self-signed/pretest.dat deleted file mode 100644 index a7cddf677..000000000 --- a/testing/tests/ikev1/self-signed/pretest.dat +++ /dev/null @@ -1,17 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/cacerts/* -carol::ipsec scepclient --out pkcs1 --out cert-self -moon::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* -moon::rm /etc/ipsec.d/cacerts/* -moon::cat /etc/scepclient.conf -moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf -moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der -moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/self-signed/test.conf b/testing/tests/ikev1/self-signed/test.conf deleted file mode 100644 index 0baa48d90..000000000 --- a/testing/tests/ikev1/self-signed/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol" - -# Corresponding block diagram -# -DIAGRAM="a-m-c.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/starter-also-loop/description.txt b/testing/tests/ikev1/starter-also-loop/description.txt deleted file mode 100644 index 7451f4e12..000000000 --- a/testing/tests/ikev1/starter-also-loop/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but -uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define -the connections in a modular form. A closed also loop created by including -<b>conn host-host</b> in <b>conn moon</b> is successfully detected. diff --git a/testing/tests/ikev1/starter-also-loop/evaltest.dat b/testing/tests/ikev1/starter-also-loop/evaltest.dat deleted file mode 100644 index 161772f8e..000000000 --- a/testing/tests/ikev1/starter-also-loop/evaltest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::cat /var/log/auth.log::detected also loop::YES -moon::cat /var/log/auth.log::errors in config::YES - diff --git a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf deleted file mode 100755 index af2fcc5dc..000000000 --- a/testing/tests/ikev1/starter-also-loop/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,47 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - also=host-host - also=moon-net - also=sun-net - -conn host-host - also=moon - also=sun - auto=add - -conn rw - right=%any - also=moon - also=moon-net - auto=add - -conn moon - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - also=host-host - -conn moon-net - leftsubnet=10.1.0.0/16 - -conn sun - right=PH_IP_SUN - rightid=@sun.strongswan.org - -conn sun-net - rightsubnet=10.2.0.0/16 diff --git a/testing/tests/ikev1/starter-also-loop/posttest.dat b/testing/tests/ikev1/starter-also-loop/posttest.dat deleted file mode 100644 index e69de29bb..000000000 --- a/testing/tests/ikev1/starter-also-loop/posttest.dat +++ /dev/null diff --git a/testing/tests/ikev1/starter-also-loop/pretest.dat b/testing/tests/ikev1/starter-also-loop/pretest.dat deleted file mode 100644 index b135b12c3..000000000 --- a/testing/tests/ikev1/starter-also-loop/pretest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec start --debug-all -moon::sleep 1 diff --git a/testing/tests/ikev1/starter-also-loop/test.conf b/testing/tests/ikev1/starter-also-loop/test.conf deleted file mode 100644 index e7735308f..000000000 --- a/testing/tests/ikev1/starter-also-loop/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon" diff --git a/testing/tests/ikev1/starter-also/description.txt b/testing/tests/ikev1/starter-also/description.txt deleted file mode 100644 index 3d4ff7dbf..000000000 --- a/testing/tests/ikev1/starter-also/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but -uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define -the connections in a modular form. diff --git a/testing/tests/ikev1/starter-also/evaltest.dat b/testing/tests/ikev1/starter-also/evaltest.dat deleted file mode 100644 index c7657801e..000000000 --- a/testing/tests/ikev1/starter-also/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 2bd4985ca..000000000 --- a/testing/tests/ikev1/starter-also/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,46 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn net-net - also=host-host - also=moon-net - also=sun-net - -conn host-host - also=moon - also=sun - auto=add - -conn rw - right=%any - also=moon - also=moon-net - auto=add - -conn moon - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - -conn moon-net - leftsubnet=10.1.0.0/16 - -conn sun - right=PH_IP_SUN - rightid=@sun.strongswan.org - -conn sun-net - rightsubnet=10.2.0.0/16 diff --git a/testing/tests/ikev1/starter-also/posttest.dat b/testing/tests/ikev1/starter-also/posttest.dat deleted file mode 100644 index 94a400606..000000000 --- a/testing/tests/ikev1/starter-also/posttest.dat +++ /dev/null @@ -1,4 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/starter-also/pretest.dat b/testing/tests/ikev1/starter-also/pretest.dat deleted file mode 100644 index c7b4f43be..000000000 --- a/testing/tests/ikev1/starter-also/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -moon::ipsec start --debug-all -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/starter-also/test.conf b/testing/tests/ikev1/starter-also/test.conf deleted file mode 100644 index 9cd583b16..000000000 --- a/testing/tests/ikev1/starter-also/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/starter-includes/description.txt b/testing/tests/ikev1/starter-includes/description.txt deleted file mode 100644 index 6a05c0cca..000000000 --- a/testing/tests/ikev1/starter-includes/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -This test is based on the <a href="../mode-config">mode-config</a> -scenario and demonstrates the multiple use of the <b>include</b> -parameter in IPsec configuration files. At the top level <b>/etc/ipsec.conf</b> -defines the config setup section and includes <b>/etc/ipsec.connections</b> -which in turn includes <b>/etc/ipsec.host</b> and <b>/etc/ipsec.peers/*</b> -thereby showing the use of wildcards in path definitions. diff --git a/testing/tests/ikev1/starter-includes/evaltest.dat b/testing/tests/ikev1/starter-includes/evaltest.dat deleted file mode 100644 index 7de32d681..000000000 --- a/testing/tests/ikev1/starter-includes/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9c75434c2..000000000 --- a/testing/tests/ikev1/starter-includes/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftsourceip=%modeconfig - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add - - - - diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 4e7bfc1b4..000000000 --- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -include /etc/ipsec.connections diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections deleted file mode 100644 index bd47f9e09..000000000 --- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.connections +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/ipsec.connections - connection definitions - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -include /etc/ipsec.host - -include /etc/ipsec.peers/* - diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host deleted file mode 100755 index acf753cc0..000000000 --- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.host +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/ipsec.host - my host configuration - -conn %default - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 - leftnexthop=%direct - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol deleted file mode 100644 index 84bedfef6..000000000 --- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/ipsec.peers/ipsec.carol - connection from carol - -conn rw-carol - right=%any - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - auto=add - diff --git a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave deleted file mode 100644 index ee021c9be..000000000 --- a/testing/tests/ikev1/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave +++ /dev/null @@ -1,8 +0,0 @@ -# /etc/ipsec.peers/ipsec.dave - connection from dave - -conn rw-dave - right=%any - rightid=dave@strongswan.org - rightsourceip=PH_IP_DAVE1 - auto=add - diff --git a/testing/tests/ikev1/starter-includes/posttest.dat b/testing/tests/ikev1/starter-includes/posttest.dat deleted file mode 100644 index ebf7525ef..000000000 --- a/testing/tests/ikev1/starter-includes/posttest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 -moon::rm /etc/ipsec.connections /etc/ipsec.host -moon::rm -r /etc/ipsec.peers diff --git a/testing/tests/ikev1/starter-includes/pretest.dat b/testing/tests/ikev1/starter-includes/pretest.dat deleted file mode 100644 index b034a0c03..000000000 --- a/testing/tests/ikev1/starter-includes/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/* -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -dave::ipsec start -moon::ipsec start --debug-all -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/starter-includes/test.conf b/testing/tests/ikev1/starter-includes/test.conf deleted file mode 100644 index 1a8f2a4e0..000000000 --- a/testing/tests/ikev1/starter-includes/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/strong-certs/description.txt b/testing/tests/ikev1/strong-certs/description.txt deleted file mode 100644 index 8e6e8b4f9..000000000 --- a/testing/tests/ikev1/strong-certs/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -This is a remote-access scenario with two roadwarriors <b>carol</b> and <b>dave</b> -setting up a connection each to the VPN gateway <b>moon</b>. Authentication is -based on strong X.509 certificates with SHA-2 signatures. -The X.509 certificate of the gateway <b>moon</b> uses a <b>SHA-224</b> hash in -its signature whereas the certificates of the roadwarriors <b>carol</b> -and <b>dave</b> use <b>SHA-384</b> and <b>SHA-512</b>, respectively. diff --git a/testing/tests/ikev1/strong-certs/evaltest.dat b/testing/tests/ikev1/strong-certs/evaltest.dat deleted file mode 100644 index 2fe4de76f..000000000 --- a/testing/tests/ikev1/strong-certs/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 2a1dad5c6..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - strictcrlpolicy=no - crlcheckinterval=180 - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - left=PH_IP_CAROL - leftcert=carolCert-sha384.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem deleted file mode 100644 index 929f737c8..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/certs/carolCert-sha384.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEITCCAwmgAwIBAgIBJTANBgkqhkiG9w0BAQwFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTExMTAxNzEyNDc1OVoXDTE2MTAxNTEyNDc1OVowWTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0z -ODQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0B -AQEFAAOCAQ8AMIIBCgKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv -7otSsjbH4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0 -DvtT6CWnnxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoS -hLjwuqq2eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9 -xAh32ywd10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkO -ZLZYzBqJRpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABo4IBBjCCAQIw -CQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFPk6ATSleHErWFAYkCZD -BhDo8X1qMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQsw -CQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMS -c3Ryb25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3 -YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v -cmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEMBQADggEBAHiE/MMyXJXuMuhw -/lu/UwjCHbbJMA9QrBJe++34OwAV0siM98loVLs23vHXk/52QHRIwZgMLO2FF9Pk -4JkFOvTXCgNPZKrUL28UhHsnJe8EZVOuir5o6yTSti+J/tR4M2YoY67JjW/KeTwU -BVBtBVH88gf/xm2mSlIrkHxG3/GWqyEdeY7BOaft1sFTTZ1gKKXQlARtWidho1mf -5Y1lZ//kOuvMjnk+hEWPWESq8lBzLOmQGBk65vaEH3LVZxSQVJbfG2E0dHgPZNgc -hFOS8Oc6L6AfKlWHAT0ZCR5+1YsxxnlsftHzxiA0ayGCgpn2qcN+OPjfzPCtC80N -6oXDLZM= ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem deleted file mode 100644 index 1c59bcfe5..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAuByYUPGv67XSQHjpfFjhuH/l/sMIQGhsFcO4ebYv7otSsjbH -4gasmAOvEFxoIxkOG9IWFAHP1WyiqG3sOsyyfUg6wHl1FTe4Y3kHWZp0DvtT6CWn -nxQwKibIhXfB3IPHRTcRG1zGN4J3Vl6IofIRlrl0K3NYUUofn0xMKAoShLjwuqq2 -eviX5NIQDOTnoga2C5Ed58hIc6/YWXzfg9EpB194tcCWmSj7yfq6ruD9xAh32ywd -10fsi4tt3F/BWzXjySxBlBhvvh6kL/Nqa6OSWaXsvZqXmrYm+hm4LKkOZLZYzBqJ -RpRm1rEhYqMg2u0SSSTXsNFuw+027n7Vt8+DzwIDAQABAoIBAQCMhpbjwXWLLd5r -A18DYDv5PPXpvCdCMfG9swPNMnfnVUQrbpCmPn3iEX2/uShrEaapKXNclf1yY1bL -xAr43mCmK0lcu9fX+A2vLyOjCrbm8IIcwRDt5NTWd3+6D6xSierBM8TE480PdW9s -5v7WzRMLvkWjHIkekrsMNYozTWzRC6MgO99hzalWzKSeHHxlieoG7sN8KQ0hmwO+ -lMR6XDwrEnENbDbX//rbPjD4gdkqwAzCyf2IMNAHefAJUrjll2t1aQNknGwpDaAS -g8Il7iAwIxoP2SrJ89K4Wq4Ifq+tLeX1sjwF0IESi41xNZZ/CrLiJbIPZSyBVRvx -wwzObUPBAoGBAO6Gu2QaUoIZWpIL5TcAbQIGUx4FPKy2FbKWnU6VL9fmw8DGqKC0 -WX/CCSBmYHQyvlozutX4g8PI6YfgbbuPpgt/yJeLO+33PZK2Cps0//0EmEIvZ7ZM -kOV+PRNuDIlKQNCaD8LdAcp0KSUc8vo3BAYArrjd1WZze85tqgAHmKR/AoGBAMWZ -YkyQwBE0+W9P5gmGwuc+q2T3SjpGXjtzyo63K6ra892u49xIklfvNZ3PlgNbTSCo -tTZLfwRu2uRhh2C8ZsjwfdpMAdT0BNCqEXtdp8JBJiNmrvY17NrSJnMginvu26qM -QbsaF2Q1BV7OMZHvjgYrCqgokUGcJY6A0OlftjixAoGBALa3mPbOvyOP/nRgDl86 -wUZKyAL4Kgl3llluzOP0nmi6Cnwy8dvhK6oVXl5mbj603GJGvDnKnE0vK819WzHR -kXW/lk6YRvk8avtm3esVB3+vtF8G52CbeGeEc47dv1av/cSOL8KrAAMxRo96hJqt -6DQc87sDm8RWdKGmGhLZvtFLAoGAA+bJaBWblTtkiWwccKe2hXZZT/8J+iiVh7r7 -juHS/Oah1giz+w97xDy25EzK+3n8Bd8O5OmMsnu12riKQcC2jtUgxwSlLJ080xno -inUI8O70X9KRNc9Ow+tOUwubcGMA91cZnSYgvBvH5V1Q4T7HoRuMdFGIvLDmlO+6 -MEFxiaECgYEAw7GqJYl2q6be56WANWA9ecNenr4+ekHZImpK0vb1bYD2LinfFNNK -9jOHK2tK2jV3DgfUEieItz/uWV3iCJkIfErwu3ZS9qnDBu70OHGpsM1nXRUzZ0Ct -5vOlBr5h6DMrP+ou/95yeraoibqs2kTUrAdkC80Yk5nbEHFDiD6cJcw= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index fac55d63b..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA carolKey.pem diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem deleted file mode 100644 index fc769c1c9..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/certs/daveCert-sha512.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBJjANBgkqhkiG9w0BAQ0FADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTExMTAxNzEyNTAzMFoXDTE2MTAxNTEyNTAzMFowWDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS01 -MTIxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQCs5SBCzV3Is/w7CIzfBXRGv6uXwyDivRXXYsczeSRf -5mw/slRVAEtNbX8rQ8BWLIqiJPCLDek5ODkqKI+hArZVpJqMzZyql2Teosrtnokb -h/yA8EWtEr0jII2RxQ0xb8r25h+DwBosAM15B1rCAMmJOjbEMMBGmAb7y7N0K8nr -Z8RctwrRdCGVcg+f+LFrklF1tBLs0zGIrJsk1eB0XbrB+fEPar9Lmn+/q2QHGPCt -aOlR2ZxRsjqsYJW9yI8r33PVVm2aGmS/19UguEG8FC3owud0boHfP91/NvSIWfhP -iIuDPjJOBPEJ/I6OYjYXXQuOZYwFGau2WrpNDQioPgedAgMBAAGjggEFMIIBATAJ -BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU5re6olyWAt1HfN2l92Rb -7DDCnxMwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ -BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz -dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdzd2Fu -Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBDQUAA4IBAQAtRPFMSuEnPmqeC2mF -OE5N26r2p8HfB4FAPwarlg66IIvKvkk1zqn5YfZIXfMU/x5q+85aO31iQmjlAPpo -KXqRq7V0a0ldjXEr+Tz7xG3jno989dBrD3kQZnwXR57xGt1qTVGY7uQdbgXWzVHM -GYS6gjUw7Df9vAQcTfUxUpZc5wlDoiRrFkyPc1raFCZF3//Ig9agjO4r1SzPHYw7 -LrHJR1xkd0IWVTW8Z6xB14j452IiimhyK1zAR3zmh1vH9VuHDLHMhyjSl1R+gk5U -KzDPaqXd4NA7eIQNiAhysYTXfmUYytbFNZw9bamxTxlCmca1snuTIcFM5OYOfxRT -iKMh ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem deleted file mode 100644 index 900f73bac..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEArOUgQs1dyLP8OwiM3wV0Rr+rl8Mg4r0V12LHM3kkX+ZsP7JU -VQBLTW1/K0PAViyKoiTwiw3pOTg5KiiPoQK2VaSajM2cqpdk3qLK7Z6JG4f8gPBF -rRK9IyCNkcUNMW/K9uYfg8AaLADNeQdawgDJiTo2xDDARpgG+8uzdCvJ62fEXLcK -0XQhlXIPn/ixa5JRdbQS7NMxiKybJNXgdF26wfnxD2q/S5p/v6tkBxjwrWjpUdmc -UbI6rGCVvciPK99z1VZtmhpkv9fVILhBvBQt6MLndG6B3z/dfzb0iFn4T4iLgz4y -TgTxCfyOjmI2F10LjmWMBRmrtlq6TQ0IqD4HnQIDAQABAoIBAG0+sa3EGdgxcdTT -SD+7MIdroL7Z+rOKCnz32yp5BzTZYdi1k3fKIcqgv1PVEXjh2A8wDBWxCoavMd+j -lW2FSzS+NzF00eMwmfnbHyIZpESTHkdSipQbXQsPDKTov7dXDgYHzi3vehoHv80T -ipM+8BkXgXdh3nw8n10GjzN+X62v73pQxXooC2JrsxKPubB9NkX8UtcYddrmMQpr -xOixBsk3VwkIh+3CatBPKJH/Ryk/U9rMU7F7KlAi+xHj3UF3iAvUwYVaJWAeWfci -KP07cFxsar8Vgf2IK+sbZP6LPky1oiYq+VkIrgX6UPtyyrS60Bf7OFIy5I0Hmm8K -b0rChbkCgYEA2B1IVtBmNBt/rCwqWgRLf4vW86JGgKAOx15hucPdA1NAHygNLdZC -bcM6OkP1PEp1mpA0mDgYQQdggzsWKYuJjtf8MN9sZwi6SrRI2Y3OCy7SFLsyDNkz -xkWo6b5/WGH+cEzVRVkD0RU97xjXudXzcwm1PA5goRcGNg1zdvOi0XsCgYEAzM3d -tbq3txVh5EK3IeCsvtQGY4IFADdjaC2wgTeOlHo/nGoCB8TuFMN32MHqlmAdspJQ -PojDKVZhhOknJQpBI1iYVYTJTIwtJM5CeY5gwhnrPVru4LJaa8zXTJdIeZ++nJFR -Dawt5rsJ+f2yTzQWPm2Ywbril8KBVwqD4V9uQ8cCgYBk/foqJ6U7QIZ/TPxVqKAn -cI/4tqK/xQxi+qYsi20i+qqCZNMT0oakiJETXWKi1CD1I+KQJ9advPbLHLeUnpKf -4CsII8CivZ9g/bL1h6D79NtTuM8A1het1ivDX7Re9xxSGnWnvJtd/9E7hJ57R5JG -9ghtkkJxxTKv28VTlzNFNQKBgDuQ4Jv7a3V3ZZpTARp8UyHJXvZQGY4/jcz+BOkA -NJrgl2Gxv1dtImWtmEzV0Znc6KZIQch+VGzQb9qNSVJPkjRqjxvIXBfEaVjcGJ9s -Fp49lZqpuPJnTT8vO6tOEMk2+eRlq3JTkqIZ4kPwUo0QtCuCCrzF0yOaca3UJBlH -fTV/AoGAElXK1jYXzxJLTik9TW3Jl9w45GP572HAYVBc+gpCtvxVvr9V8qsiDST2 -hovbkEcG6o+rCAgHnzdCxpK0Avnb8yyu4yvBGTWowoBqF9Nyv2aZts83gRxEapZC -Mc8u9QuIB0QCea13jgWWkkMLr9lt7kmVjR+Nch4lcF4RVqagEEE= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 98d9a8749..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - strictcrlpolicy=no - crlcheckinterval=180 - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw - left=PH_IP_MOON - leftcert=moonCert-sha224.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem deleted file mode 100644 index bda4f528e..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/certs/moonCert-sha224.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIENDCCAxygAwIBAgIBJDANBgkqhkiG9w0BAQ4FADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTExMTAxNzEyNDUwN1oXDTE2MTAxNTEyNDUwN1owWDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEDAOBgNVBAsTB1NIQS0y -MjQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDEPYW1tmcbkgNMcnOHXAKHlgL2k7r1+rVWJ/8NF9vI -7MpQ8qomHPV3G00CYSQsCDgBVvK71pasiz+dsYdHAY28ihb2m/lsaSquwsb0Fexj -hJiqaohcLJk0MjTDUdArh6iddvDAYMDkfApM49TaXNxdz0sffV5KOIH0hrQe0wsw -P2p/SHTATNh3ebTLr8Y7dMKecxFrKQswZc+d7gvIftZXRvjsUprc77dDURGByPw3 -N+/23chuDXNNaxMylWQhmiTUne8tIyg0vtur3do5Dq1IqQKqvxSfBjRL6ZJU0/6l -KuhChV0cSVd2H2zzovuke5XzHzUsoESWXWYK9qIEj2HRAgMBAAGjggEaMIIBFjAJ -BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUT4FJonJgeZBpFHc8iosc -WWM+mPswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ -BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz -dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2Fu -Lm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAwMC6gLKAqhihodHRw -Oi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEB -DgUAA4IBAQA60WN0QwQuFVYg/C156POjKENZP9CGF8NyiC/NUYqgbIrGGTTpwTxs -pW/+YDG1tVtCkqtLGsO0uZRe8Ihs3afNsPMNlCiTCPgrs5erc4ZTv5MB7Ap2lyL5 -NSQ9SggICbQhkHQHP6TINtas9+FrAw10jWIa107DYLLC7Ea77Y5vryL6/ymrpwdL -Vwm9kAkGYvm0lmzw6YfzPskKc3MpWnjBTraPG42Z8oWTEDJnBtS761k60lNwndKC -JdRUxoOOegzsKIIzorRz9xCN2zA2CAeChqHMbBpNCRwl0dQ00ztXReONl97iNgw6 -NrdHsqCiH8Q+I2JCxU230Zl6UFKARLo+ ------END CERTIFICATE----- diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem deleted file mode 100644 index 51a33597e..000000000 --- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAxD2FtbZnG5IDTHJzh1wCh5YC9pO69fq1Vif/DRfbyOzKUPKq -Jhz1dxtNAmEkLAg4AVbyu9aWrIs/nbGHRwGNvIoW9pv5bGkqrsLG9BXsY4SYqmqI -XCyZNDI0w1HQK4eonXbwwGDA5HwKTOPU2lzcXc9LH31eSjiB9Ia0HtMLMD9qf0h0 -wEzYd3m0y6/GO3TCnnMRaykLMGXPne4LyH7WV0b47FKa3O+3Q1ERgcj8Nzfv9t3I -bg1zTWsTMpVkIZok1J3vLSMoNL7bq93aOQ6tSKkCqr8UnwY0S+mSVNP+pSroQoVd -HElXdh9s86L7pHuV8x81LKBEll1mCvaiBI9h0QIDAQABAoIBAEnZeTMb9ItslG81 -dwKOfqk1q+HNUIN3GLzWimYL/3sKmUyDNcLoDPwIux9VHT6wzRq79Nb5d3RxZrxa -bbUsAYHdWazun5vLq/Nee26pvW7qHGWtd6lwYytAZZjHdhabk7nGY+2Ru6WAhIPR -DW4rmgZ3lya/kDdQMp+p/ajH9SLvYdo8rc3e2a5pJJitR3iU9rFO8PRSD6is7ldr -FxYDMWv+Latkscpku4fww8X6XlHo3u7usogs5FHjNePeJjNkzdj5X958OmzxN4JJ -jKheFALXJuMYY/9MLWaygkZgWuD1yr8chBtH+kxJLqbv9/pBaQqehEDfGOgfPnQi -OxccUS0CgYEA4VL/hsJvhziqd+MHryrYvPQgHZJf+ksMpRelD/zEJRjAGnyT2hDQ -R1H9jKP689E6lhCire9ag79rkF4lOvVWpM4f1XOPwX9Oap93dRn5PZLCMKfmnuo7 -RSC3qsGRdzIB0j0e9XQXW3tzoSVJtASd0X7qMTujaWQef7hNPW/To9MCgYEA3vTk -YQGARsJIjvF1xu7ut1NC1GyQbvDShylmrOBPTBRgzIEjWnifDH79BAXr9yTigqR/ -qHZhWC0bPPY2x6iFi4dTa30vNGqP61GU4HouQDZ/Lf7TXL7pTHRSihL3x9f2nIu+ -nyEhfrYomt0M960OHS5izXP/27vXItLTazshMUsCgYEAn3lOwOH8bYf9nrxgQ+nf -XFysHkHrDArx+Caz/Iy5hkfuLtDdFAmyX8f33AJzKv16qZs8iD5Poc9pIdSAJSpf -GGWKwlf39stThMM4mPi5HoswRZ+P6gl9yX9OftxhSCtsfpAjyTVREr5dKEBr2a0q -xYs91XqQPZdOvraCdGkhMWECgYEAiQFTlYimmtSoYa5fAW+xoVW4q3BLEOFLfWMj -hPgRwl6DXSe94cpdcgBW2jIJXkV8K2uKRqr4BocxRbTG1MnpxmPSDytN5pfU+HWZ -Vpe99BeI72q31zY5hpG0ZsRhHpzHHkuBR6fEPWkSapeLcGcXVTc736R4hT5YZT3I -TQx4ySECgYEArIxFy2zEbQH8znJoRwshSSanGovSCRxpoP+j5WHlccMQAjDhoFMg -KLCXbbnNyM4qlvwHG4Z27Fgexvk5dPHYnQlW9A4YP4o6SFf6RnxW1ZdR/Kc4aY/6 -rXxt+Q0rf4qRKbTh90yDnc2YQj11g9BgvFliIM2GOTq8NUtjQVRgNm4= ------END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev1/strong-certs/posttest.dat b/testing/tests/ikev1/strong-certs/posttest.dat deleted file mode 100644 index fc0fbeb38..000000000 --- a/testing/tests/ikev1/strong-certs/posttest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -moon::rm /etc/ipsec.d/private/* -carol::rm /etc/ipsec.d/private/* -dave::rm /etc/ipsec.d/private/* -moon::rm /etc/ipsec.d/certs/* -carol::rm /etc/ipsec.d/certs/* -dave::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev1/strong-certs/pretest.dat b/testing/tests/ikev1/strong-certs/pretest.dat deleted file mode 100644 index de51ccdfa..000000000 --- a/testing/tests/ikev1/strong-certs/pretest.dat +++ /dev/null @@ -1,10 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/strong-certs/test.conf b/testing/tests/ikev1/strong-certs/test.conf deleted file mode 100644 index 70416826e..000000000 --- a/testing/tests/ikev1/strong-certs/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/virtual-ip-swapped/description.txt b/testing/tests/ikev1/virtual-ip-swapped/description.txt deleted file mode 100644 index 230906c5d..000000000 --- a/testing/tests/ikev1/virtual-ip-swapped/description.txt +++ /dev/null @@ -1,3 +0,0 @@ -Same scenario as test <a href="../virtual-ip/"><b>virtual-ip</b></a> but with -swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas -<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat b/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat deleted file mode 100644 index 23e109838..000000000 --- a/testing/tests/ikev1/virtual-ip-swapped/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 4dfa345f4..000000000 --- a/testing/tests/ikev1/virtual-ip-swapped/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn home - right=PH_IP_CAROL - rightsourceip=PH_IP_CAROL1 - rightcert=carolCert.pem - rightid=carol@strongswan.org - rightfirewall=yes - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftid=@moon.strongswan.org - auto=add - - - - diff --git a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf deleted file mode 100755 index b65d7a690..000000000 --- a/testing/tests/ikev1/virtual-ip-swapped/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn rw - right=PH_IP_MOON - rightsourceip=PH_IP_MOON1 - rightcert=moonCert.pem - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightfirewall=yes - leftsubnetwithin=10.3.0.0/16 - left=%any - auto=add diff --git a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat b/testing/tests/ikev1/virtual-ip-swapped/posttest.dat deleted file mode 100644 index 2116e86e0..000000000 --- a/testing/tests/ikev1/virtual-ip-swapped/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 diff --git a/testing/tests/ikev1/virtual-ip-swapped/pretest.dat b/testing/tests/ikev1/virtual-ip-swapped/pretest.dat deleted file mode 100644 index 4fe0ee90b..000000000 --- a/testing/tests/ikev1/virtual-ip-swapped/pretest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/virtual-ip-swapped/test.conf b/testing/tests/ikev1/virtual-ip-swapped/test.conf deleted file mode 100644 index f106524e2..000000000 --- a/testing/tests/ikev1/virtual-ip-swapped/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon alice" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/virtual-ip/description.txt b/testing/tests/ikev1/virtual-ip/description.txt index 4ec6021ea..c16b70b70 100644 --- a/testing/tests/ikev1/virtual-ip/description.txt +++ b/testing/tests/ikev1/virtual-ip/description.txt @@ -1,8 +1,14 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. Both <b>carol</b> -and <b>moon</b> define a static virtual IP using the <b>leftsourceip</b> parameter. -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b> -behind the gateway <b>moon</b> as well as the inner interface of the gateway. The source IP -of the two pings will be the virtual IP <b>carol1</b>. Also thanks to its virtual IP <b>moon1</b> -the gateway <b>moon</b> is able to ping <b>carol1</b> by using the existing subnet-subnet IPsec -tunnel. +The roadwarriors <b>carol</b> and <b>dave</b> both set up a connection to gateway <b>moon</b>. +The roadwarriors each unilaterally define a static virtual IP using the <b>leftsourceip</b> +parameter. In order to detect potential address conflicts, the roadwarriors send +their virtual IPs embedded in an IKEv1 Mode Config payload to <b>moon</b> for verification. +In our scenario <b>moon</b> accepts the address choices thus allowing <b>carol</b> and +<b>dave</b> to install their respective virtual IP addresses. +<p> +In order to test the tunnels both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> +behind the gateway <b>moon</b> as well as the inner interface of the gateway. +The latter ping requires access to the gateway itself which is granted by the +directive <b>lefthostaccess=yes</b>. The source IP of the two pings will be the virtual +IP addresses <b>carol1</b> and <b>dave1</b>, respectively. Also thanks to the automatically +configured source route entries, <b>moon</b> is able to ping both roadwarriors by using the +established net-net IPsec tunnels. diff --git a/testing/tests/ikev1/virtual-ip/evaltest.dat b/testing/tests/ikev1/virtual-ip/evaltest.dat index 23e109838..0f5df71d7 100644 --- a/testing/tests/ikev1/virtual-ip/evaltest.dat +++ b/testing/tests/ikev1/virtual-ip/evaltest.dat @@ -1,9 +1,31 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES +moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES +moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::src PH_IP_CAROL1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::src PH_IP_DAVE1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES +moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES + diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf index e0ef16930..862f43606 100755..100644 --- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -23,7 +19,3 @@ conn home rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - - - - diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..5ba2b347a --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_DAVE + leftsourceip=PH_IP_DAVE1 + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf index 63a8c92b5..4f3fd61f8 100755..100644 --- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -15,11 +11,11 @@ conn %default conn rw left=PH_IP_MOON - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 leftfirewall=yes - rightsubnetwithin=10.3.0.0/16 + lefthostaccess=yes right=%any + rightsourceip=%config auto=add diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev1/virtual-ip/posttest.dat b/testing/tests/ikev1/virtual-ip/posttest.dat index 2116e86e0..1865a1c60 100644 --- a/testing/tests/ikev1/virtual-ip/posttest.dat +++ b/testing/tests/ikev1/virtual-ip/posttest.dat @@ -1,5 +1,6 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/virtual-ip/pretest.dat b/testing/tests/ikev1/virtual-ip/pretest.dat index 0b2ae8d2b..1765a83cd 100644 --- a/testing/tests/ikev1/virtual-ip/pretest.dat +++ b/testing/tests/ikev1/virtual-ip/pretest.dat @@ -1,7 +1,9 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start +dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::sleep 1 carol::ipsec up home -carol::sleep 1 +dave::ipsec up home diff --git a/testing/tests/ikev1/virtual-ip/test.conf b/testing/tests/ikev1/virtual-ip/test.conf index f106524e2..164b07ff9 100644 --- a/testing/tests/ikev1/virtual-ip/test.conf +++ b/testing/tests/ikev1/virtual-ip/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="moon carol" +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/wildcards/description.txt b/testing/tests/ikev1/wildcards/description.txt deleted file mode 100644 index e485f7066..000000000 --- a/testing/tests/ikev1/wildcards/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and -<b>venus</b> by means of wildcard parameters that must match the subject -<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to -<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b> -can only be reached with a DN containing OU=Accounting. The roadwarriors -<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting', -respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b> -can reach <b>venus</b>. diff --git a/testing/tests/ikev1/wildcards/evaltest.dat b/testing/tests/ikev1/wildcards/evaltest.dat deleted file mode 100644 index cbc94b75a..000000000 --- a/testing/tests/ikev1/wildcards/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO -dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES -dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf deleted file mode 100755 index cf93bb231..000000000 --- a/testing/tests/ikev1/wildcards/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_CAROL - leftcert=carolCert.pem - right=PH_IP_MOON - rightid=@moon.strongswan.org - -conn alice - rightsubnet=PH_IP_ALICE/32 - auto=add - -conn venus - rightsubnet=PH_IP_VENUS/32 - auto=add - - - - - diff --git a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 39b031551..000000000 --- a/testing/tests/ikev1/wildcards/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - -conn alice - leftsubnet=PH_IP_ALICE/32 - right=%any - rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*" - auto=add - -conn venus - leftsubnet=PH_IP_VENUS/32 - right=%any - rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*" - auto=add diff --git a/testing/tests/ikev1/wildcards/posttest.dat b/testing/tests/ikev1/wildcards/posttest.dat deleted file mode 100644 index ed530f6d9..000000000 --- a/testing/tests/ikev1/wildcards/posttest.dat +++ /dev/null @@ -1,3 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop diff --git a/testing/tests/ikev1/wildcards/pretest.dat b/testing/tests/ikev1/wildcards/pretest.dat deleted file mode 100644 index 67c50c2ef..000000000 --- a/testing/tests/ikev1/wildcards/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -dave::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up alice -carol::ipsec up venus -dave::ipsec up venus -dave::ipsec up alice diff --git a/testing/tests/ikev1/wildcards/test.conf b/testing/tests/ikev1/wildcards/test.conf deleted file mode 100644 index 08e5cc145..000000000 --- a/testing/tests/ikev1/wildcards/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/wlan/description.txt b/testing/tests/ikev1/wlan/description.txt deleted file mode 100644 index e018148bd..000000000 --- a/testing/tests/ikev1/wlan/description.txt +++ /dev/null @@ -1,15 +0,0 @@ -The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic -by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is -<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network -is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from -<b>alice</b> to <b>venus</b> tunneled via <b>moon</b> and to both the internal -and external interface of gateway <b>moon</b>. Access to the gateway is -set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>. -At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router. -<p> -The host system controls the UML instances <b>alice</b> and <b>carol</b> via -ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up -the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel -to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted -to the ssh port is statically set up by <b>conn system</b>. - diff --git a/testing/tests/ikev1/wlan/evaltest.dat b/testing/tests/ikev1/wlan/evaltest.dat deleted file mode 100644 index 079ac4429..000000000 --- a/testing/tests/ikev1/wlan/evaltest.dat +++ /dev/null @@ -1,11 +0,0 @@ -alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES -venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES -alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES -venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES -moon::tcpdump::ESP::YES -sun::tcpdump::ICMP::YES diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 86a76e2db..000000000 --- a/testing/tests/ikev1/wlan/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,73 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf deleted file mode 100755 index e3cf9b15d..000000000 --- a/testing/tests/ikev1/wlan/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,35 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn system - left=PH_IP_ALICE - leftprotoport=tcp/ssh - authby=never - type=passthrough - right=10.1.0.254 - rightprotoport=tcp - auto=route - -conn wlan - left=PH_IP_ALICE - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftfirewall=yes - right=PH_IP_MOON1 - rightid=@moon.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add - diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables deleted file mode 100755 index e95ef44c6..000000000 --- a/testing/tests/ikev1/wlan/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,82 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - # enable SNAT - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 61ce28e6b..000000000 --- a/testing/tests/ikev1/wlan/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn alice - right=PH_IP_ALICE - rightid=alice@strongswan.org - also=wlan - auto=add - -conn venus - right=PH_IP_VENUS - rightid=@venus.strongswan.org - also=wlan - auto=add - -conn wlan - left=PH_IP_MOON1 - leftsubnet=0.0.0.0/0 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftfirewall=yes - lefthostaccess=yes - diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables deleted file mode 100755 index 6f95e7576..000000000 --- a/testing/tests/ikev1/wlan/hosts/venus/etc/init.d/iptables +++ /dev/null @@ -1,73 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf deleted file mode 100755 index fa2dc953e..000000000 --- a/testing/tests/ikev1/wlan/hosts/venus/etc/ipsec.conf +++ /dev/null @@ -1,35 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - nat_traversal=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - -conn system - left=PH_IP_VENUS - leftprotoport=tcp/ssh - authby=never - type=passthrough - right=10.1.0.254 - rightprotoport=tcp - auto=route - -conn wlan - left=PH_IP_VENUS - leftcert=venusCert.pem - leftid=@venus.strongswan.org - leftfirewall=yes - right=PH_IP_MOON1 - rightid=@moon.strongswan.org - rightsubnet=0.0.0.0/0 - auto=add - diff --git a/testing/tests/ikev1/wlan/posttest.dat b/testing/tests/ikev1/wlan/posttest.dat deleted file mode 100644 index 6bd2379d8..000000000 --- a/testing/tests/ikev1/wlan/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::iptables -t nat -v -n -L POSTROUTING -moon::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -moon::/etc/init.d/iptables stop 2> /dev/null -moon::conntrack -F diff --git a/testing/tests/ikev1/wlan/pretest.dat b/testing/tests/ikev1/wlan/pretest.dat deleted file mode 100644 index de4a6ad31..000000000 --- a/testing/tests/ikev1/wlan/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -alice::ipsec start -venus::ipsec start -alice::sleep 2 -alice::ipsec up wlan -venus::sleep 2 -venus::ipsec up wlan -venus::sleep 2 diff --git a/testing/tests/ikev1/wlan/test.conf b/testing/tests/ikev1/wlan/test.conf deleted file mode 100644 index b141c4f1b..000000000 --- a/testing/tests/ikev1/wlan/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon:eth1 sun" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus moon" diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-id-psk-config/description.txt index 191011747..fc417e416 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt +++ b/testing/tests/ikev1/xauth-id-psk-config/description.txt @@ -2,7 +2,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b> The authentication is based on Pre-Shared Keys (<b>PSK</b>) followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names and passwords. Next <b>carol</b> and <b>dave</b> request a -<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%modeconfig</b> +<b>virtual IP</b> via the IKE Mode Config protocol by using the <b>leftsourceip=%config</b> parameter. The virtual IP addresses are registered under the users' XAUTH identity. <p> Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically diff --git a/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat new file mode 100644 index 000000000..cd4ebd8ec --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/evaltest.dat @@ -0,0 +1,24 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.100].*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[192.168.0.200].*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.100]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*\[192.168.0.200]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf index da1a10513..f557eb961 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,12 +8,17 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthpsk conn home left=PH_IP_CAROL + leftid=PH_IP_CAROL + leftsourceip=%config + leftauth=psk + leftauth2=xauth leftfirewall=yes right=PH_IP_MOON + rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightauth=psk xauth_identity=carol auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..e2cea4e3d --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,9 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +@sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5 + +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1fb5d14b1 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..ea707b50b --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_DAVE + leftid=PH_IP_DAVE + leftsourceip=%config + leftauth=psk + leftauth2=xauth + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=psk + xauth_identity=dave + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets index 25e8c2796..25e8c2796 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1fb5d14b1 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf index 452187f11..8b3524219 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthpsk - xauth=server conn rw left=PH_IP_MOON leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftauth=psk leftfirewall=yes right=%any rightsourceip=10.3.0.0/24 + rightauth=psk + rightauth2=xauth auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets index 20d8e0269..20d8e0269 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf index 089467da4..422538cec 100644 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth attr kernel-netlink +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown dns1 = 192.168.0.150 dns2 = 10.1.0.20 } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-id-psk-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat new file mode 100644 index 000000000..b757d8b15 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-psk/pretest.dat b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat index 95a6be131..88a91ae86 100644 --- a/testing/tests/ikev1/xauth-id-psk/pretest.dat +++ b/testing/tests/ikev1/xauth-id-psk-config/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/xauth-id-psk-config/test.conf b/testing/tests/ikev1/xauth-id-psk-config/test.conf new file mode 100644 index 000000000..9b1ec0b54 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat deleted file mode 100644 index 4552cfe61..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -carol::cat /var/log/auth.log::extended authentication was successful::YES -dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::ipsec leases rw 10.3.0.1::carol::YES -moon::ipsec leases rw 10.3.0.2::dave::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf deleted file mode 100644 index b7402d24b..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthpsk - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftsourceip=%modeconfig - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - xauth_identity=carol - auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index e5adf3e8e..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq - -carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -carol@strongswan.org @sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5 - -carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf deleted file mode 100644 index e3f377d18..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8f9226dd1..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthpsk - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftsourceip=%modeconfig - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - xauth_identity=dave - auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf deleted file mode 100644 index e3f377d18..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth resolve kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat deleted file mode 100644 index f90d222b5..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf deleted file mode 100644 index 75510b295..000000000 --- a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="alice moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-psk/description.txt b/testing/tests/ikev1/xauth-id-psk/description.txt deleted file mode 100644 index 0ac2043c2..000000000 --- a/testing/tests/ikev1/xauth-id-psk/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. -The authentication is based on Pre-Shared Keys (<b>PSK</b>) -followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> -based on user names and passwords. -<p> -Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client -<b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/xauth-id-psk/evaltest.dat b/testing/tests/ikev1/xauth-id-psk/evaltest.dat deleted file mode 100644 index b019f8d76..000000000 --- a/testing/tests/ikev1/xauth-id-psk/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/auth.log::extended authentication was successful::YES -dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::cat /var/log/auth.log::xauth user name is .*carol::YES -moon::cat /var/log/auth.log::xauth user name is .*dave::YES -moon::cat /var/log/auth.log::extended authentication was successful::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 7a272a371..000000000 --- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c9eb0bc97..000000000 --- a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 25e8c2796..000000000 --- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c9eb0bc97..000000000 --- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 850ea561b..000000000 --- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthpsk - xauth=server - -conn rw - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 3f86fa594..000000000 --- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -carol : XAUTH "4iChxLT3" - -dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf deleted file mode 100644 index c9eb0bc97..000000000 --- a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-psk/posttest.dat b/testing/tests/ikev1/xauth-id-psk/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev1/xauth-id-psk/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-psk/test.conf b/testing/tests/ikev1/xauth-id-psk/test.conf deleted file mode 100644 index 70416826e..000000000 --- a/testing/tests/ikev1/xauth-id-psk/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-rsa/description.txt b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt index 9483c8f39..90209c266 100644 --- a/testing/tests/ikev1/xauth-id-rsa/description.txt +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/description.txt @@ -1,4 +1,5 @@ -The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b> +using <b>IKEv1 Aggressive Mode</b>. The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>, diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat new file mode 100644 index 000000000..34c124c95 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/evaltest.dat @@ -0,0 +1,16 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf index be62c2b8f..09308efad 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,15 +8,18 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthrsasig + aggressive=yes conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org + leftauth=pubkey + leftauth2=xauth leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightauth=pubkey xauth_identity=carol auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets index 29492b5f9..29492b5f9 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf index c09fb3c2c..8cc9f68dc 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,15 +8,18 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthrsasig + aggressive=yes conn home left=PH_IP_DAVE leftcert=daveCert.pem leftid=dave@strongswan.org + leftauth=pubkey + leftauth2=xauth leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightauth=pubkey xauth_identity=dave auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets index 8cf7db530..8cf7db530 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/ipsec.secrets diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf index 02270e004..2a27145c8 100755..100644 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -10,17 +8,16 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 + aggressive=yes + +conn rw left=PH_IP_MOON + leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftauth=pubkey leftfirewall=yes right=%any - -conn rw-rsasig - authby=rsasig - leftcert=moonCert.pem - auto=add - -conn rw-psk - authby=secret + rightauth=pubkey + rightauth2=xauth auto=add diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets index 2586f5f39..bd9b0dbfb 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/ipsec.secrets @@ -2,4 +2,6 @@ : RSA moonKey.pem -carol@strongswan.org : XAUTH "4iChxLT3" +carol : XAUTH "4iChxLT3" + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat new file mode 100644 index 000000000..e5a06d44c --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/description.txt b/testing/tests/ikev1/xauth-id-rsa-config/description.txt index aa2b31542..feb154d49 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/description.txt +++ b/testing/tests/ikev1/xauth-id-rsa-config/description.txt @@ -1,9 +1,10 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>. The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> -based on user names and passwords. Next both <b>carol</b> and <b>dave</b> request a -<b>virtual IP</b> via the IKE Mode Config protocol by using the -<b>leftsourceip=%modeconfig</b> parameter. +based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>, +respectively) and corresponding user passwords defined and stored in ipsec.secrets. +Next both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config +protocol by using the <b>leftsourceip=%config</b> parameter. <p> Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat new file mode 100644 index 000000000..7604a1527 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/evaltest.dat @@ -0,0 +1,20 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf index 5e7cc89a7..ddb043278 100755..100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - plutodebug=control conn %default ikelifetime=60m @@ -12,15 +8,18 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - modeconfig=push conn home left=PH_IP_CAROL leftsourceip=%config leftcert=carolCert.pem leftid=carol@strongswan.org + leftauth=pubkey + leftauth2=xauth leftfirewall=yes + xauth_identity=carol right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightauth=pubkey auto=add diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets index 6a2aea811..29492b5f9 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,5 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..69950dc6d --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftauth=pubkey + leftauth2=xauth + leftfirewall=yes + xauth_identity=dave + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets index 9031f323a..8cf7db530 100644 --- a/testing/tests/ikev1/strong-certs/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/ipsec.secrets @@ -1,3 +1,5 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file : RSA daveKey.pem + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf index 0a65acb5d..d9fcc27c4 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthrsasig - xauth=server left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftauth=pubkey leftfirewall=yes right=%any + rightauth=pubkey + rightauth2=xauth auto=add conn rw-carol @@ -27,5 +24,5 @@ conn rw-carol rightsourceip=PH_IP_CAROL1 conn rw-dave - rightid=dave@strongswan.org - rightsourceip=PH_IP_DAVE1 + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets index fef50218a..fef50218a 100644 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat new file mode 100644 index 000000000..e5a06d44c --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-config/test.conf b/testing/tests/ikev1/xauth-id-rsa-config/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt new file mode 100644 index 000000000..88351ffda --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/description.txt @@ -0,0 +1,11 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b> +using <b>IKEv1 Hybrid Mode</b>. +The authentication of <b>moon</b> is based on an RSA signature combined with a X.509 certificate, +followed by an extended authentication (<b>XAUTH</b>) of <b>carol</b> and <b>dave</b> +based on user names defined by the <b>xauth_identity</b> parameter (<b>carol</b> and <b>dave</b>, +respectively) and corresponding user passwords defined and stored in ipsec.secrets. +<p> +Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping the client +<b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat new file mode 100644 index 000000000..34c124c95 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/evaltest.dat @@ -0,0 +1,16 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf index f2a15af0a..e12cefa65 100755..100644 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - charonstart=no conn %default ikelifetime=60m @@ -10,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - ike=aes128,serpent128,twofish128,3des - + conn home - authby=secret left=PH_IP_CAROL leftid=carol@strongswan.org + leftauth=xauth leftfirewall=yes right=PH_IP_MOON - rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=pubkey + xauth_identity=carol auto=add diff --git a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets index 8e31be4cb..cf2178e9b 100644 --- a/testing/tests/ikev1/crl-revoked/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolRevokedKey.pem +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf index 3a4b75af6..03b29f6c9 100644 --- a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,12 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthpsk conn home left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=xauth leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=pubkey xauth_identity=dave auto=add diff --git a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets index fac55d63b..19d918630 100644 --- a/testing/tests/ikev1/multi-level-ca-strict/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA carolKey.pem +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..d76dec16d --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftauth=pubkey + leftfirewall=yes + right=%any + rightauth=xauth + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets index 2586f5f39..bd9b0dbfb 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/ipsec.secrets @@ -2,4 +2,6 @@ : RSA moonKey.pem -carol@strongswan.org : XAUTH "4iChxLT3" +carol : XAUTH "4iChxLT3" + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat new file mode 100644 index 000000000..e5a06d44c --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat deleted file mode 100644 index b019f8d76..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/auth.log::extended authentication was successful::YES -dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::cat /var/log/auth.log::xauth user name is .*carol::YES -moon::cat /var/log/auth.log::xauth user name is .*dave::YES -moon::cat /var/log/auth.log::extended authentication was successful::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 251041443..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthrsasig - xauth=server - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-id-rsa/posttest.dat b/testing/tests/ikev1/xauth-id-rsa/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-rsa/pretest.dat b/testing/tests/ikev1/xauth-id-rsa/pretest.dat deleted file mode 100644 index 78e2d57f8..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa/test.conf b/testing/tests/ikev1/xauth-id-rsa/test.conf deleted file mode 100644 index 70416826e..000000000 --- a/testing/tests/ikev1/xauth-id-rsa/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat index 786043065..c6637cbfe 100644 --- a/testing/tests/ikev1/xauth-psk/evaltest.dat +++ b/testing/tests/ikev1/xauth-psk/evaltest.dat @@ -1,13 +1,15 @@ -carol::cat /var/log/auth.log::extended authentication was successful::YES -dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES -moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES -moon::cat /var/log/auth.log::extended authentication was successful::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf index 1c7d7002e..a6bba5b04 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,13 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthpsk conn home left=PH_IP_CAROL leftid=carol@strongswan.org + leftauth=psk + leftauth2=xauth leftfirewall=yes right=PH_IP_MOON - rightid=moon.strongswan.org rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=psk auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf index c9eb0bc97..61260f891 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf index 782c160c9..5b80edb9f 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,13 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthpsk conn home left=PH_IP_DAVE leftid=dave@strongswan.org leftfirewall=yes + leftauth=psk + leftauth2=xauth right=PH_IP_MOON - rightid=moon.strongswan.org rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=psk auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf index c9eb0bc97..61260f891 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf index 595e6588c..7e79c11f8 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,13 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthpsk - xauth=server conn rw left=PH_IP_MOON - leftid=moon.strongswan.org + leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftauth=psk leftfirewall=yes right=%any + rightauth=psk + rightauth2=xauth auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf index c9eb0bc97..61260f891 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac gmp random xauth kernel-netlink +charon { + load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-psk/posttest.dat b/testing/tests/ikev1/xauth-psk/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev1/xauth-psk/posttest.dat +++ b/testing/tests/ikev1/xauth-psk/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-psk/pretest.dat b/testing/tests/ikev1/xauth-psk/pretest.dat index 95a6be131..88a91ae86 100644 --- a/testing/tests/ikev1/xauth-psk/pretest.dat +++ b/testing/tests/ikev1/xauth-psk/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev1/xauth-psk/test.conf b/testing/tests/ikev1/xauth-psk/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev1/xauth-psk/test.conf +++ b/testing/tests/ikev1/xauth-psk/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt new file mode 100644 index 000000000..a586a14cb --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/description.txt @@ -0,0 +1,8 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates +followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name +equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password +defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> starts +an EAP-RADIUS connection with AAA server <b>alice</b> and uses <b>carol</b>'s +forwarded XAUTH user credentials for an EAP-MD5 based client authentication with +<b>alice</b>. diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat new file mode 100644 index 000000000..d568273d1 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol@strongswan.org' successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..4fb07b912 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..2fdd60f00 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=pubkey + leftauth2=xauth + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets index 4a77c3b97..4a77c3b97 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/ipsec.secrets diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..5701b7a82 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + right=%any + rightauth=pubkey + rightauth2=xauth-eap + auto=add diff --git a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets index e86d6aa5c..e86d6aa5c 100644 --- a/testing/tests/ikev1/strong-certs/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/ipsec.secrets diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e2e2164ae --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-md5 xauth-eap updown + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat new file mode 100644 index 000000000..181949fb5 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat new file mode 100644 index 000000000..9adc43d3e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::radiusd +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf new file mode 100644 index 000000000..eb1e15dd2 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt deleted file mode 100644 index 98d85f30b..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. -The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 -certificates followed by extended authentication (<b>XAUTH</b>) based -on user name and password. Because user <b>carol</b> presents a wrong -XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat b/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat deleted file mode 100644 index 0bcef388d..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -carol::cat /var/log/auth.log::extended authentication failed::YES -moon::cat /var/log/auth.log::extended authentication failed::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 186d8e121..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthrsasig - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 251041443..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthrsasig - xauth=server - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-rsa-fail/posttest.dat b/testing/tests/ikev1/xauth-rsa-fail/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat deleted file mode 100644 index 4ac57ab16..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa-fail/test.conf b/testing/tests/ikev1/xauth-rsa-fail/test.conf deleted file mode 100644 index 5442565f8..000000000 --- a/testing/tests/ikev1/xauth-rsa-fail/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat deleted file mode 100644 index 15dd054a0..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/auth.log::extended authentication was successful::YES -dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES -moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf deleted file mode 100644 index ca2df4b28..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthrsasig - -conn home - left=PH_IP_CAROL - leftsourceip=%modeconfig - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 079c6b0d5..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthrsasig - -conn home - left=PH_IP_DAVE - leftsourceip=%modeconfig - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 1c0248b84..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA daveKey.pem - -dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ba66971a..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : XAUTH "4iChxLT3" - -dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat deleted file mode 100644 index f90d222b5..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ipsec stop -dave::ipsec stop -moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat b/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat deleted file mode 100644 index 78e2d57f8..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/test.conf b/testing/tests/ikev1/xauth-rsa-mode-config/test.conf deleted file mode 100644 index 75510b295..000000000 --- a/testing/tests/ikev1/xauth-rsa-mode-config/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="alice moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt deleted file mode 100644 index a6fe82330..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. -The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 -certificates followed by extended authentication (<b>XAUTH</b>) based -on user name and password. Because user <b>carol</b> cannot find her -XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the -ISAKMP SA is deleted. diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat deleted file mode 100644 index ddbb3ae2d..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/evaltest.dat +++ /dev/null @@ -1,4 +0,0 @@ -carol::cat /var/log/auth.log::xauth user credentials not found::YES -moon::cat /var/log/auth.log::received FAIL status in XAUTH reply::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf deleted file mode 100755 index fc86bab41..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control controlmore" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthrsasig - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftfirewall=yes - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf deleted file mode 100755 index e2709cdf1..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control controlmore" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev1 - authby=xauthrsasig - xauth=server - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf deleted file mode 100644 index de1cbb134..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat b/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/test.conf b/testing/tests/ikev1/xauth-rsa-nosecret/test.conf deleted file mode 100644 index 5442565f8..000000000 --- a/testing/tests/ikev1/xauth-rsa-nosecret/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev1/xauth-rsa-radius/description.txt b/testing/tests/ikev1/xauth-rsa-radius/description.txt new file mode 100644 index 000000000..fb30d163e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/description.txt @@ -0,0 +1,7 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +The authentication is based on RSA signatures (<b>RSASIG</b>) using X.509 certificates +followed by extended authentication (<b>XAUTH</b>) of <b>carol</b> based on a user name +equal to the <b>IKEv1</b> identity (<b>carol@strongswan.org</b>) and a user password +defined and stored by <b>carol</b> in ipsec.secrets. Gateway <b>moon</b> verifies +<b>carol</b>'s XAUTH user credentials using a RADIUS connection with AAA server +<b>alice</b>. diff --git a/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat new file mode 100644 index 000000000..ee60292a3 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/evaltest.dat @@ -0,0 +1,9 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of 'carol@strongswan.org' successful::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..929b6cd74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,39 @@ +authorize { + suffix + files +} + +authenticate { + pap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..4fb07b912 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1 @@ +carol Cleartext-Password := "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..2fdd60f00 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=pubkey + leftauth2=xauth + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets index 13e6e0656..d66f3fc24 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" -carol@strongswan.org : XAUTH "4iChxLT8" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5cd9bf11e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f4ee067d5 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + right=%any + rightauth=pubkey + rightauth2=xauth-radius + auto=add diff --git a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets index afb1ff927..e86d6aa5c 100644 --- a/testing/tests/ikev1/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: RSA moonKey.asc +: RSA moonKey.pem diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..77266cfa0 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev1/xauth-rsa-radius/posttest.dat b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat new file mode 100644 index 000000000..181949fb5 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa-radius/pretest.dat b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat new file mode 100644 index 000000000..9adc43d3e --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::radiusd +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/xauth-rsa-radius/test.conf b/testing/tests/ikev1/xauth-rsa-radius/test.conf new file mode 100644 index 000000000..b4088e8b4 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-radius/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat index 786043065..c6637cbfe 100644 --- a/testing/tests/ikev1/xauth-rsa/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat @@ -1,13 +1,15 @@ -carol::cat /var/log/auth.log::extended authentication was successful::YES -dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES -moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES -moon::cat /var/log/auth.log::extended authentication was successful::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*carol@strongswan.org.*successful::YES +moon:: cat /var/log/daemon.log::XAuth authentication of.*dave@strongswan.org.*successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf index 186d8e121..2fdd60f00 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,16 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthrsasig conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org + leftauth=pubkey + leftauth2=xauth leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightauth=pubkey auto=add diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf index de1cbb134..5cd9bf11e 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf index 478e732ae..36f0c581f 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,16 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthrsasig conn home left=PH_IP_DAVE leftcert=daveCert.pem leftid=dave@strongswan.org + leftauth=pubkey + leftauth2=xauth leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org + rightauth=pubkey auto=add diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf index de1cbb134..5cd9bf11e 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf index 251041443..3c6944910 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf @@ -1,10 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no conn %default ikelifetime=60m @@ -12,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev1 - authby=xauthrsasig - xauth=server conn rw left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org leftsubnet=10.1.0.0/16 + leftauth=pubkey leftfirewall=yes right=%any + rightauth=pubkey + rightauth2=xauth auto=add diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf index de1cbb134..5cd9bf11e 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -1,11 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file -pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth kernel-netlink +charon { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke } -# pluto uses optimized DH exponent sizes (RFC 3526) - libstrongswan { dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/xauth-rsa/posttest.dat b/testing/tests/ikev1/xauth-rsa/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev1/xauth-rsa/posttest.dat +++ b/testing/tests/ikev1/xauth-rsa/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/xauth-rsa/pretest.dat b/testing/tests/ikev1/xauth-rsa/pretest.dat index 78e2d57f8..e5a06d44c 100644 --- a/testing/tests/ikev1/xauth-rsa/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev1/xauth-rsa/test.conf b/testing/tests/ikev1/xauth-rsa/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev1/xauth-rsa/test.conf +++ b/testing/tests/ikev1/xauth-rsa/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" |