diff options
Diffstat (limited to 'testing/tests/ikev2/nat-portswitch')
9 files changed, 138 insertions, 0 deletions
diff --git a/testing/tests/ikev2/nat-portswitch/description.txt b/testing/tests/ikev2/nat-portswitch/description.txt new file mode 100644 index 000000000..93b779ee1 --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/description.txt @@ -0,0 +1,6 @@ +The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a connection +to gateway <b>sun</b> using IKEv2. UDP encapsulation is used to traverse the NAT router. +The authentication is based on locally loaded <b>X.509 certificates</b>. +After the IPsec Setup NAT router moon "crashes" (i.e. flushes its conntrack +table) and with the next dpd sent from <b>alice</b> a dynamical address update +should occur in gateway <b>sun</b>. diff --git a/testing/tests/ikev2/nat-portswitch/evaltest.dat b/testing/tests/ikev2/nat-portswitch/evaltest.dat new file mode 100644 index 000000000..75b01a551 --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/evaltest.dat @@ -0,0 +1,10 @@ +sun::ipsec statusall::rw-alice.*ESTABLISHED::YES +alice::ipsec statusall::home.*ESTABLISHED::YES +moon::cmd::iptables -t nat -F::YES +moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:3024-3100::YES +moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:4000-4100::YES +moon::cmd::conntrack -F::YES +alice::cmd::sleep 75::YES +bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP, length: 132::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP, length: 132::YES diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..cd9de533a --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutostart=no + +conn home + left=PH_IP_ALICE + leftcert=aliceCert.pem + leftid=alice@strongswan.org + right=PH_IP_SUN + rightcert=sunCert.pem + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem new file mode 100644 index 000000000..e7825e3db --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 +foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS +Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC +AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe +zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n +HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G +N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg +KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq +hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i +ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP +Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S +5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE +JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk +Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..a7722142f --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutostart=no + +conn %default + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + keyexchange=ikev2 + +conn rw-alice + right=%any + rightcert=aliceCert.pem + rightid=alice@strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem new file mode 100644 index 000000000..e99ae8ec7 --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer +GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 +FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W +6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH +v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc +KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa +60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG +A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 +cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo +2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ +AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 +D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S +CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi +6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re +JGhV +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-portswitch/posttest.dat b/testing/tests/ikev2/nat-portswitch/posttest.dat new file mode 100644 index 000000000..3b9f53e9b --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/posttest.dat @@ -0,0 +1,6 @@ +sun::ipsec stop +alice::ipsec stop +sun::rm /etc/ipsec.d/certs/* +alice::rm /etc/ipsec.d/certs/* +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev2/nat-portswitch/pretest.dat b/testing/tests/ikev2/nat-portswitch/pretest.dat new file mode 100644 index 000000000..17cc4b070 --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/pretest.dat @@ -0,0 +1,9 @@ +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::ipsec start +alice::ipsec start +alice::sleep 1 +alice::ipsec up home +alice::sleep 1 diff --git a/testing/tests/ikev2/nat-portswitch/test.conf b/testing/tests/ikev2/nat-portswitch/test.conf new file mode 100644 index 000000000..d84149aaf --- /dev/null +++ b/testing/tests/ikev2/nat-portswitch/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice sun" |