diff options
Diffstat (limited to 'testing/tests/ikev1')
109 files changed, 554 insertions, 380 deletions
diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf index 392a4b51e..d55638907 100755 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/ipsec.conf @@ -1,7 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 + plutodebug=control + crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 40eb84b8a..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown -} diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf index e56090f48..94517ecbe 100755 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/ipsec.conf @@ -1,7 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 + plutodebug=control + crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 40eb84b8a..000000000 --- a/testing/tests/ikev1/after-2038-certs/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink updown -} diff --git a/testing/tests/ikev1/alg-blowfish/description.txt b/testing/tests/ikev1/alg-blowfish/description.txt index cff0a1915..7d8f245ab 100644 --- a/testing/tests/ikev1/alg-blowfish/description.txt +++ b/testing/tests/ikev1/alg-blowfish/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and -<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>BLOWFISH_CBC_256 / HMAC_SHA2_512 / MODP_4096</b> for the IKE protocol and +<b>BLOWFISH_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat index a2ae3ff6b..fd46cdb9d 100644 --- a/testing/tests/ikev1/alg-blowfish/evaltest.dat +++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat @@ -1,9 +1,9 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES -carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES +moon::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512/MODP_4096::YES +carol::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: BLOWFISH_CBC_256/HMAC_SHA2_256::YES carol::ip xfrm state::enc cbc(blowfish)::YES moon::ip xfrm state::enc cbc(blowfish)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f5401f260 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f5401f260 --- /dev/null +++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des blowfish hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/alg-serpent/description.txt b/testing/tests/ikev1/alg-serpent/description.txt deleted file mode 100644 index f49c0a1c0..000000000 --- a/testing/tests/ikev1/alg-serpent/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and -<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat deleted file mode 100644 index ffca0e7a0..000000000 --- a/testing/tests/ikev1/alg-serpent/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES -carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES -carol::ip xfrm state::enc cbc(serpent)::YES -moon::ip xfrm state::enc cbc(serpent)::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES - diff --git a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf deleted file mode 100755 index b050f022a..000000000 --- a/testing/tests/ikev1/alg-serpent/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - ike=serpent256-sha2_512-modp4096! - esp=serpent256-sha2_256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 75830f043..000000000 --- a/testing/tests/ikev1/alg-serpent/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - ike=serpent256-sha2_512-modp4096! - esp=serpent256-sha2_256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-serpent/posttest.dat b/testing/tests/ikev1/alg-serpent/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/alg-serpent/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/alg-serpent/pretest.dat b/testing/tests/ikev1/alg-serpent/pretest.dat deleted file mode 100644 index 6d2eeb5f9..000000000 --- a/testing/tests/ikev1/alg-serpent/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/alg-serpent/test.conf b/testing/tests/ikev1/alg-serpent/test.conf deleted file mode 100644 index a6c8f026c..000000000 --- a/testing/tests/ikev1/alg-serpent/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt b/testing/tests/ikev1/alg-sha-equals-sha1/description.txt deleted file mode 100644 index aeb2e1a88..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the syntactically -incorrect cipher suites <b>ike=aes128-sha1-modp1536</b> for the -IKE protocol and <b>esp=aes128-sha</b> for ESP packets. Since <b>sha</b> and -<b>sha1</b> are treated as synonyms the proposal is neverless correctly parsed. -A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat deleted file mode 100644 index c3656c690..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ - -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA-MODP1536::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES - diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 40d31c0ac..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - ike=aes128-sha1-modp1536! - esp=aes128-sha! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add - diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 1461f7933..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - ike=aes128-sha1-modp1536! - esp=aes128-sha! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add - diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat b/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat deleted file mode 100644 index 7d077c126..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf b/testing/tests/ikev1/alg-sha-equals-sha1/test.conf deleted file mode 100644 index a6c8f026c..000000000 --- a/testing/tests/ikev1/alg-sha-equals-sha1/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/alg-sha2_256/description.txt b/testing/tests/ikev1/alg-sha2_256/description.txt index 900fcf017..e0af2e2f7 100644 --- a/testing/tests/ikev1/alg-sha2_256/description.txt +++ b/testing/tests/ikev1/alg-sha2_256/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the rather strong cipher suite -<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and -<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>AES_CBC_128 / HMAC_SHA2_256 / MODP_1536</b> for the IKE protocol and +<b>AES_CBC_128 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat index 42d0099eb..b8a83e0fb 100644 --- a/testing/tests/ikev1/alg-sha2_256/evaltest.dat +++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat @@ -1,10 +1,10 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES +moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA2_256/MODP_1536::YES +carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA2_256::YES carol::ip xfrm state::auth hmac(sha256)::YES moon::ip xfrm state::auth hmac(sha256)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-twofish/description.txt b/testing/tests/ikev1/alg-twofish/description.txt deleted file mode 100644 index 0015561ee..000000000 --- a/testing/tests/ikev1/alg-twofish/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and -<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to -<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat deleted file mode 100644 index 69e9267c3..000000000 --- a/testing/tests/ikev1/alg-twofish/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES -carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES -carol::ip xfrm state::enc cbc(twofish)::YES -moon::ip xfrm state::enc cbc(twofish)::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES - diff --git a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 71ed47519..000000000 --- a/testing/tests/ikev1/alg-twofish/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - ike=twofish256-sha2_512-modp4096! - esp=twofish256-sha2_256! - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf deleted file mode 100755 index ba739f887..000000000 --- a/testing/tests/ikev1/alg-twofish/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug="control crypt" - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - ike=twofish256-sha2_512-modp4096! - esp=twofish256-sha2_256! - -conn rw - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - right=%any - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev1/alg-twofish/posttest.dat b/testing/tests/ikev1/alg-twofish/posttest.dat deleted file mode 100644 index c6d6235f9..000000000 --- a/testing/tests/ikev1/alg-twofish/posttest.dat +++ /dev/null @@ -1,2 +0,0 @@ -moon::ipsec stop -carol::ipsec stop diff --git a/testing/tests/ikev1/alg-twofish/pretest.dat b/testing/tests/ikev1/alg-twofish/pretest.dat deleted file mode 100644 index 7d077c126..000000000 --- a/testing/tests/ikev1/alg-twofish/pretest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -carol::ipsec start -moon::ipsec start -carol::sleep 2 -carol::ipsec up home diff --git a/testing/tests/ikev1/alg-twofish/test.conf b/testing/tests/ikev1/alg-twofish/test.conf deleted file mode 100644 index a6c8f026c..000000000 --- a/testing/tests/ikev1/alg-twofish/test.conf +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="moon carol winnetou" - -# Corresponding block diagram -# -DIAGRAM="m-c-w.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol" - diff --git a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf index 5a360543c..343221385 100644 --- a/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/attr-cert/hosts/moon/etc/strongswan.conf @@ -1,3 +1,13 @@ +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + openac { load = sha1 sha2 md5 gmp random x509 pubkey } + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/crl-ldap/evaltest.dat b/testing/tests/ikev1/crl-ldap/evaltest.dat index 2b98e086a..730614c66 100644 --- a/testing/tests/ikev1/crl-ldap/evaltest.dat +++ b/testing/tests/ikev1/crl-ldap/evaltest.dat @@ -6,8 +6,8 @@ moon::cat /var/log/auth.log::X.509 certificate rejected::YES carol::cat /var/log/auth.log::X.509 certificate rejected::YES moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::Trying LDAP URL::YES -carol::cat /var/log/auth.log::Trying LDAP URL::YES +moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES +carol::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::cat /var/log/auth.log::written crl file::YES diff --git a/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/crl-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/default-keys/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/default-keys/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index 016524dd9..c35a8019e 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -6,5 +6,5 @@ moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES moon::cat /var/log/auth.log::DPD: Restarting connection::YES -moon::sleep 5::no output expected::NO +moon::sleep 10::no output expected::NO moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES diff --git a/testing/tests/ikev1/esp-ah-transport/description.txt b/testing/tests/ikev1/esp-ah-transport/description.txt index c7918fa38..f8ffce6e6 100644 --- a/testing/tests/ikev1/esp-ah-transport/description.txt +++ b/testing/tests/ikev1/esp-ah-transport/description.txt @@ -1,5 +1,5 @@ In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication. In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall marks all incoming AH packets with the ESP mark. The transport mode connection is tested by <b>carol</b> sending a ping to gateway <b>moon</b>. diff --git a/testing/tests/ikev1/esp-ah-transport/evaltest.dat b/testing/tests/ikev1/esp-ah-transport/evaltest.dat index 7c498ad83..526e0d96e 100644 --- a/testing/tests/ikev1/esp-ah-transport/evaltest.dat +++ b/testing/tests/ikev1/esp-ah-transport/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES +moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES diff --git a/testing/tests/ikev1/esp-ah-tunnel/description.txt b/testing/tests/ikev1/esp-ah-tunnel/description.txt index 809f28c57..332f8177a 100644 --- a/testing/tests/ikev1/esp-ah-tunnel/description.txt +++ b/testing/tests/ikev1/esp-ah-tunnel/description.txt @@ -1,5 +1,5 @@ In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> -the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +the ESP AES 128 bit encryption algorithm combined with AH HMAC_SHA1 authentication. In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall marks all incoming AH packets with the ESP mark. The tunnel mode connection is tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind diff --git a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat index 8f4a99641..5103a6318 100644 --- a/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat +++ b/testing/tests/ikev1/esp-ah-tunnel/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES +moon::ipsec statusall::ESP/AH proposal: AES_CBC_128/HMAC_SHA1::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt index fef0ac2dd..0c39352d9 100644 --- a/testing/tests/ikev1/esp-alg-aesxcbc/description.txt +++ b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_256/AES_XCBC_MAC</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> +<b>AES_CBC_256 / AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat index f464bda65..872962de4 100644 --- a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES -moon::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES +carol::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES +moon::ipsec statusall::ESP proposal: AES_CBC_256/AES_XCBC_96::YES carol::ip xfrm state::auth xcbc(aes)::YES moon::ip xfrm state::auth xcbc(aes)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-camellia/description.txt b/testing/tests/ikev1/esp-alg-camellia/description.txt index ead39f580..b679d03ec 100644 --- a/testing/tests/ikev1/esp-alg-camellia/description.txt +++ b/testing/tests/ikev1/esp-alg-camellia/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>CAMELLIA_192/HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256-modp2048</b> +<b>CAMELLIA_CBC_192 / HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat index b2871dabd..1b0f3a12b 100644 --- a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES -moon::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES +moon::ipsec statusall::ESP proposal: CAMELLIA_CBC_192/HMAC_SHA2_256::YES carol::ip xfrm state::enc cbc(camellia)::YES moon::ip xfrm state::enc cbc(camellia)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-des/evaltest.dat b/testing/tests/ikev1/esp-alg-des/evaltest.dat index 8e06392f1..57d09a488 100644 --- a/testing/tests/ikev1/esp-alg-des/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-des/evaltest.dat @@ -1,6 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES -carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +moon::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES +carol::ipsec statusall::ESP proposal: DES_CBC/HMAC_MD5::YES +moon::ip xfrm state::enc cbc(des)::YES +carol::ip xfrm state::enc cbc(des)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat index de2f2a571..8c748a54c 100644 --- a/testing/tests/ikev1/esp-alg-null/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat @@ -1,5 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES -carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +moon::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES +carol::ipsec statusall::ESP proposal::NULL/HMAC_SHA1::YES +moon::ip xfrm state::enc ecb(cipher_null)::YES +carol::ip xfrm state::enc ecb(cipher_null)::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf index b939e4fda..3c9fdbb71 100755 --- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes-128-sha + ike=aes-sha1 esp=null-sha1! conn home diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf index 9ca761cb5..62f17df49 100755 --- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha! + ike=aes-sha1! esp=null-sha1! conn rw diff --git a/testing/tests/ikev1/esp-alg-strict-fail/description.txt b/testing/tests/ikev1/esp-alg-strict-fail/description.txt index 03c655480..252080e80 100644 --- a/testing/tests/ikev1/esp-alg-strict-fail/description.txt +++ b/testing/tests/ikev1/esp-alg-strict-fail/description.txt @@ -1,5 +1,5 @@ -The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines -<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer, leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces -<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. +<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat index 6f2024ff9..83d99bea1 100644 --- a/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-strict-fail/evaltest.dat @@ -1,9 +1,9 @@ carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES -carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES -moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO -moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf index f61cfc6bb..21997940b 100755 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha + ike=3des-sha1 esp=3des-sha1 conn home diff --git a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf index 5bf53b8bc..14f58ccc3 100755 --- a/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha + ike=aes128-sha1 esp=aes128-sha1! conn rw diff --git a/testing/tests/ikev1/esp-alg-strict/description.txt b/testing/tests/ikev1/esp-alg-strict/description.txt index b4fc08253..149a1e013 100644 --- a/testing/tests/ikev1/esp-alg-strict/description.txt +++ b/testing/tests/ikev1/esp-alg-strict/description.txt @@ -1,7 +1,7 @@ -Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with -SHA-1 authentication) in the first place and <b>AES-128</b> encryption in +Roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption (together with +HMAC_SHA1 authentication) in the first place and <b>AES_CBC_128</b> encryption in second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines -<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed +<b>ike=aes128-sha1</b> but will accept any other supported algorithm proposed by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces -<b>esp=aes-128-sha1!</b> by applying the strict flag '!'. +<b>esp=aes128-sha1!</b> by applying the strict flag '!'. diff --git a/testing/tests/ikev1/esp-alg-strict/evaltest.dat b/testing/tests/ikev1/esp-alg-strict/evaltest.dat index d5dd12d4e..912a8d830 100644 --- a/testing/tests/ikev1/esp-alg-strict/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-strict/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES -moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES -carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES -carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES +moon::cat /var/log/auth.log::IPSec Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES +moon::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES +moon::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES +carol::ipsec statusall::IKE proposal: 3DES_CBC/HMAC_SHA1::YES +carol::ipsec statusall::ESP proposal: AES_CBC_128/HMAC_SHA1::YES diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf index 0ae6b0693..7e2de30cd 100755 --- a/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict/hosts/carol/etc/ipsec.conf @@ -11,8 +11,8 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha,aes-128-sha - esp=3des-sha1,aes-128-sha1 + ike=3des-sha,aes128-sha1 + esp=3des-sha1,aes128-sha1 conn home left=PH_IP_CAROL diff --git a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf index 5bf53b8bc..14f58ccc3 100755 --- a/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/esp-alg-strict/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha + ike=aes128-sha1 esp=aes128-sha1! conn rw diff --git a/testing/tests/ikev1/esp-alg-weak/description.txt b/testing/tests/ikev1/esp-alg-weak/description.txt index ffb6882f5..e49b6c620 100644 --- a/testing/tests/ikev1/esp-alg-weak/description.txt +++ b/testing/tests/ikev1/esp-alg-weak/description.txt @@ -1,4 +1,4 @@ -The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication +The roadwarrior <b>carol</b> proposes <b>DES_CBC</b> encryption with HMAC_MD5 authentication as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does not use an explicit <b>esp</b> statement any strong encryption algorithm will be accepted but any weak key length will be rejected by default and thus the ISAKMP SA diff --git a/testing/tests/ikev1/ike-alg-sha2_384/description.txt b/testing/tests/ikev1/ike-alg-sha2_384/description.txt index a347a3fed..a0bda209c 100644 --- a/testing/tests/ikev1/ike-alg-sha2_384/description.txt +++ b/testing/tests/ikev1/ike-alg-sha2_384/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite -<b>AES_CBC_192-SHA2_384-MODP4096</b> for the IKE protocol and -<b>AES_192-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>AES_CBC_192 / HMAC_SHA2_384 / MODP4096</b> for the IKE protocol and +<b>AES_CBC_192 /HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat index 31959f53a..a4cc39150 100644 --- a/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-sha2_384/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_192-SHA2_384-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES -carol::ipsec statusall::ESP algorithm newest: AES_192-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES +carol::ipsec statusall::IKE proposal: AES_CBC_192/HMAC_SHA2_384/MODP_4096::YES +moon::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES +carol::ipsec statusall::ESP proposal: AES_CBC_192/HMAC_SHA2_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/ike-alg-sha2_512/description.txt b/testing/tests/ikev1/ike-alg-sha2_512/description.txt index 1bec4b8c6..240b8f2b0 100644 --- a/testing/tests/ikev1/ike-alg-sha2_512/description.txt +++ b/testing/tests/ikev1/ike-alg-sha2_512/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite -<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and -<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>AES_CBC_256 / HMAC_SHA2_512 / MODP_8192</b> for the IKE protocol and +<b>AES_CBC_256 / HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat index dbd35429c..10929457f 100644 --- a/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-sha2_512/evaltest.dat @@ -1,8 +1,8 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES -moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES -carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES +carol::ipsec statusall::IKE proposal: AES_CBC_256/HMAC_SHA2_512/MODP_8192::YES +moon::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES +carol::ipsec statusall::ESP proposal: AES_CBC_256/HMAC_SHA2_256::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/ike-alg-strict-fail/description.txt b/testing/tests/ikev1/ike-alg-strict-fail/description.txt index 03c655480..252080e80 100644 --- a/testing/tests/ikev1/ike-alg-strict-fail/description.txt +++ b/testing/tests/ikev1/ike-alg-strict-fail/description.txt @@ -1,5 +1,5 @@ -The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with HMAC_SHA1 authentication as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines -<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +<b>ike=aes128-sha1</b> only, but will accept any other support algorithm proposed by the peer, leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces -<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. +<b>esp=aes128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat index 931b8855a..0c6bc7f7e 100644 --- a/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-strict-fail/evaltest.dat @@ -1,5 +1,5 @@ carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES -moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf index cbe5469f0..63ad1c01d 100755 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha + ike=3des-sha1 esp=3des-sha1 conn home diff --git a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf index 42e5f8404..1ea5fe7a5 100755 --- a/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha! + ike=aes128-sha1! esp=aes128-sha1 conn rw diff --git a/testing/tests/ikev1/ike-alg-strict/description.txt b/testing/tests/ikev1/ike-alg-strict/description.txt index 35d266e20..af93b95c3 100644 --- a/testing/tests/ikev1/ike-alg-strict/description.txt +++ b/testing/tests/ikev1/ike-alg-strict/description.txt @@ -1,5 +1,5 @@ -The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place -and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA. -The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!', +The roadwarrior <b>carol</b> proposes <b>3DES_CBC</b> encryption with <b>HMAC_SHA1</b> authentication in the first place +and <b>AES_CBC_128</b> encryption with <b>HMAC_SHA1</b> authentication in the second place for both the ISAKMP and IPsec SA. +The gateway <b>moon</b> enforces <b>ike=aes128-sha!</b> for Phase 1 by using the strict flag '!', but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b> -defines itself <b>esp=aes-128-sha1</b> only. +defines itself <b>esp=aes128-sha1</b> only. diff --git a/testing/tests/ikev1/ike-alg-strict/evaltest.dat b/testing/tests/ikev1/ike-alg-strict/evaltest.dat index 46140be8a..8acd0d039 100644 --- a/testing/tests/ikev1/ike-alg-strict/evaltest.dat +++ b/testing/tests/ikev1/ike-alg-strict/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES -moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES -carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES -carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES +moon::cat /var/log/auth.log::Oakley Transform.*3DES_CBC (192), HMAC_SHA1.*refused due to strict flag::YES +moon::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA1::YES +moon::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES +carol::ipsec statusall::IKE proposal: AES_CBC_128/HMAC_SHA::YES +carol::ipsec statusall::ESP proposal: 3DES_CBC/HMAC_SHA1::YES diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf index b8e2257c4..9272bdc7f 100755 --- a/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict/hosts/carol/etc/ipsec.conf @@ -11,8 +11,8 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=3des-sha,aes-128-sha - esp=3des-sha1,aes-128-sha1 + ike=3des-sha1,aes128-sha1 + esp=3des-sha1,aes128-sha1 conn home left=PH_IP_CAROL leftcert=carolCert.pem diff --git a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf index 42e5f8404..1ea5fe7a5 100755 --- a/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/ike-alg-strict/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 - ike=aes128-sha! + ike=aes128-sha1! esp=aes128-sha1 conn rw diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat index 9d60cf7b0..69f77946e 100644 --- a/testing/tests/ikev1/mode-config/evaltest.dat +++ b/testing/tests/ikev1/mode-config/evaltest.dat @@ -1,4 +1,6 @@ carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES +carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES +carol::cat /var/log/auth.log::received IPv6 DNS server address fec1\:\:20::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3e950c81d --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl + dns1 = PH_IP_WINNETOU + dns2 = PH_IP6_VENUS +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat index f504706e2..9cfa502aa 100644 --- a/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev1/multi-level-ca-ldap/evaltest.dat @@ -2,7 +2,7 @@ moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES -moon::cat /var/log/auth.log::Trying LDAP URL::YES +moon::cat /var/log/auth.log::fetching crl from .*ldap://ldap.strongswan.org::YES carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b15cf2d3f --- /dev/null +++ b/testing/tests/ikev1/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl ldap +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/nat-two-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/no-priv-key/evaltest.dat b/testing/tests/ikev1/no-priv-key/evaltest.dat index 9bd85ba12..c2612167a 100644 --- a/testing/tests/ikev1/no-priv-key/evaltest.dat +++ b/testing/tests/ikev1/no-priv-key/evaltest.dat @@ -1,4 +1,4 @@ -carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES -moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES +carol::cat /var/log/auth.log::unable to locate my private key::YES +carol::cat /var/log/auth.log::empty ISAKMP SA proposal to send::YES moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ikev1/protoport-route/evaltest.dat b/testing/tests/ikev1/protoport-route/evaltest.dat index 759295675..b266d86d8 100644 --- a/testing/tests/ikev1/protoport-route/evaltest.dat +++ b/testing/tests/ikev1/protoport-route/evaltest.dat @@ -1,5 +1,5 @@ -carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES -carol::ping -c 2 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES carol::ssh PH_IP_ALICE hostname::alice::YES carol::cat /var/log/auth.log::initiate on demand::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/protoport-route/pretest.dat b/testing/tests/ikev1/protoport-route/pretest.dat index f233ad48f..b1fc81827 100644 --- a/testing/tests/ikev1/protoport-route/pretest.dat +++ b/testing/tests/ikev1/protoport-route/pretest.dat @@ -2,5 +2,7 @@ moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null moon::ipsec start carol::ipsec start +carol::sleep 1 +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname +carol::ping -c 1 PH_IP_ALICE > /dev/null carol::sleep 2 -carol::ssh PH_IP_ALICE hostname diff --git a/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/req-pkcs10/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..304ef99e0 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..304ef99e0 --- /dev/null +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = test-vectors sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn-named/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/rw-psk-no-policy/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat index 9e1354121..5ab6632cc 100644 --- a/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat +++ b/testing/tests/ikev1/rw-psk-rsa-mixed/evaltest.dat @@ -2,6 +2,6 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::cat /var/log/auth.log::peer requests PSK authentication::YES moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES -moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat index 188b7bbb5..849ae5d66 100644 --- a/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat +++ b/testing/tests/ikev1/rw-rsa-no-policy/evaltest.dat @@ -1,5 +1,5 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO -moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES -moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES +moon::cat /var/log/auth.log::peer requests PUBKEY authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=PUBKEY::YES moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..52fd0c788 --- /dev/null +++ b/testing/tests/ikev1/self-signed/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp pubkey random curl +} + +scepclient { + load = sha1 sha2 md5 aes des hmac gmp pubkey random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..85e5f1aee --- /dev/null +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} |