diff options
Diffstat (limited to 'testing/tests/ikev2/default-keys')
| -rw-r--r-- | testing/tests/ikev2/default-keys/description.txt | 6 | ||||
| -rw-r--r-- | testing/tests/ikev2/default-keys/evaltest.dat | 10 | ||||
| -rw-r--r--[-rwxr-xr-x] | testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf | 2 | ||||
| -rw-r--r-- | testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf | 4 | ||||
| -rwxr-xr-x | testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables | 82 | ||||
| -rw-r--r--[-rwxr-xr-x] | testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf | 2 | ||||
| -rw-r--r-- | testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules | 30 | ||||
| -rw-r--r-- | testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf | 4 | ||||
| -rw-r--r-- | testing/tests/ikev2/default-keys/posttest.dat | 4 | ||||
| -rw-r--r-- | testing/tests/ikev2/default-keys/pretest.dat | 11 | ||||
| -rw-r--r-- | testing/tests/ikev2/default-keys/test.conf | 10 |
11 files changed, 56 insertions, 109 deletions
diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt index 639e909da..889f8297a 100644 --- a/testing/tests/ikev2/default-keys/description.txt +++ b/testing/tests/ikev2/default-keys/description.txt @@ -1,8 +1,8 @@ Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b> and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key -and a self-signed X.509 certificate. Because the UML testing environment does -not offer enough entropy, the non-blocking /dev/urandom device is used in place -of /dev/random for generating the random primes. +and a self-signed X.509 certificate. Because the virtual testing environment +does not offer enough entropy, the non-blocking /dev/urandom device is used in +place of /dev/random for generating the random primes. <p> The self-signed certificates are then distributed to the peers via scp and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat index 2c1e11c97..4df2d1e11 100644 --- a/testing/tests/ikev2/default-keys/evaltest.dat +++ b/testing/tests/ikev2/default-keys/evaltest.dat @@ -1,7 +1,9 @@ carol::cat /var/log/auth.log::scepclient::YES -moon::cat /var/log/auth.log::scepclient::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -moon::ipsec statusall::carol.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/auth.log::scepclient::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES +moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf index 9574f18bb..15aba18e5 100755..100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf index eabe265ca..5a243caab 100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce } diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 5a262c084..000000000 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,82 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A INPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf index 5b2c4e3f4..278943d28 100755..100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..72a1c17c3 --- /dev/null +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules @@ -0,0 +1,30 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --sport 22 -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT +-A OUTPUT -p tcp --dport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf index eabe265ca..5a243caab 100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce } diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat index 8cada5e7e..25f737ecc 100644 --- a/testing/tests/ikev2/default-keys/posttest.dat +++ b/testing/tests/ikev2/default-keys/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush carol::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat index 88f9a2ca9..ef5f67097 100644 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ b/testing/tests/ikev2/default-keys/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules carol::rm /etc/ipsec.secrets carol::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/certs/* @@ -10,9 +10,10 @@ moon::rm /etc/ipsec.d/private/* moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/cacerts/* moon::ipsec start -moon::sleep 5 +moon::sleep 5 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der -moon::ipsec reload -carol::ipsec reload +moon::ipsec reload +carol::ipsec reload +carol::sleep 1 carol::ipsec up home diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/default-keys/test.conf index 0baa48d90..ce84ce41a 100644 --- a/testing/tests/ikev2/default-keys/test.conf +++ b/testing/tests/ikev2/default-keys/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol" +VIRTHOSTS="alice moon carol" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" |