diff options
Diffstat (limited to 'testing/tests/ikev2/nat-rw-mixed')
10 files changed, 174 insertions, 0 deletions
diff --git a/testing/tests/ikev2/nat-rw-mixed/description.txt b/testing/tests/ikev2/nat-rw-mixed/description.txt new file mode 100644 index 000000000..511a1a874 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> +set up a connection to gateway <b>sun</b>. <b>alice</b> uses the IKEv2 key exchange protocol +whereas <b>venus</b> negotiates the connection via the IKEv1 protocol. +UDP encapsulation is used to traverse the NAT router. +In order to test the tunnel the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client +<b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat b/testing/tests/ikev2/nat-rw-mixed/evaltest.dat new file mode 100644 index 000000000..685c1b43f --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/evaltest.dat @@ -0,0 +1,9 @@ +sun::ipsec statusall::rw-alice.*ESTABLISHED::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::nat-t.*@venus.strongswan.org::YES +alice::ipsec statusall::home.*ESTABLISHED::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..cd9de533a --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutostart=no + +conn home + left=PH_IP_ALICE + leftcert=aliceCert.pem + leftid=alice@strongswan.org + right=PH_IP_SUN + rightcert=sunCert.pem + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem new file mode 100644 index 000000000..e7825e3db --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 +foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS +Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC +AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe +zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n +HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G +N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg +KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq +hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i +ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP +Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S +5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE +JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk +Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..b85bd607b --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + +conn rw-alice + right=%any + rightcert=aliceCert.pem + rightid=alice@strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add + +conn nat-t + leftsubnet=10.2.0.0/16 + right=%any + rightsubnetwithin=10.1.0.0/16 + keyexchange=ikev1 + auto=add diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem new file mode 100644 index 000000000..e99ae8ec7 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer +GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 +FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W +6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH +v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc +KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa +60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG +A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 +cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo +2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ +AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 +D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S +CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi +6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re +JGhV +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem new file mode 100644 index 000000000..25a6941b0 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz +LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy +Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ +thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON +FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H +wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/ +nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E +BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA +FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE +ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB +ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw +LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww +DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN +rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX +PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B +fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid +hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh +wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA= +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mixed/posttest.dat b/testing/tests/ikev2/nat-rw-mixed/posttest.dat new file mode 100644 index 000000000..0a8ce2bbc --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/posttest.dat @@ -0,0 +1,6 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +sun::rm /etc/ipsec.d/certs/* +alice::rm /etc/ipsec.d/certs/* +moon::iptables -t nat -F diff --git a/testing/tests/ikev2/nat-rw-mixed/pretest.dat b/testing/tests/ikev2/nat-rw-mixed/pretest.dat new file mode 100644 index 000000000..d2c5c7df2 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/pretest.dat @@ -0,0 +1,11 @@ +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::ipsec start +alice::ipsec start +venus::ipsec start +alice::sleep 1 +venus::ipsec up nat-t +alice::ipsec up home +alice::sleep 1 diff --git a/testing/tests/ikev2/nat-rw-mixed/test.conf b/testing/tests/ikev2/nat-rw-mixed/test.conf new file mode 100644 index 000000000..84317fd70 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mixed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" |