summaryrefslogtreecommitdiff
path: root/testing/tests/ikev2/ocsp-strict-ifuri
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests/ikev2/ocsp-strict-ifuri')
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/description.txt18
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat7
-rwxr-xr-xtesting/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem24
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem27
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets3
-rwxr-xr-xtesting/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf26
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem25
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem27
-rwxr-xr-xtesting/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf29
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem23
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem22
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat5
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat7
-rw-r--r--testing/tests/ikev2/ocsp-strict-ifuri/test.conf21
15 files changed, 290 insertions, 0 deletions
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/description.txt b/testing/tests/ikev2/ocsp-strict-ifuri/description.txt
new file mode 100644
index 000000000..580684cf8
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/description.txt
@@ -0,0 +1,18 @@
+This scenario tests the <b>strictcrlpolicy=ifuri</b> option which enforces a
+strict CRL policy for a given CA if at least one OCSP or CRL URI is known
+for this CA at the time of the certificate trust path verification.
+On the gateway <b>moon</b> two different Intermediate CAs control the access
+to the hosts <b>alice</b> and <b>venus</b>. Access to <b>alice</b> is granted
+to users presenting a certificate issued by the Research CA whereas <b>venus</b>
+can only be reached with a certificate issued by the Sales CA.
+<p>
+The roadwarrior <b>carol</b> has a certificate from the Research CA which does not
+contain any URIs. Therefore a strict CRL policy is <b>not</b> enforced and the
+connection setup succeeds, although the certificate status is unknown.
+</p>
+<p>
+The roadwarrrior <b>dave</b> has a certificate from the Sales CA which contains
+a single OCSP URI but which is not resolvable. Thus because of the known URI
+a strict CRL policy is enforced and the unknown certificate status causes the
+connection setup to fail.
+</p>
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
new file mode 100644
index 000000000..48f24aa8f
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES
+moon::cat /var/log/daemon.log::http post request using libcurl failed::YES
+moon::cat /var/log/daemon.log::authentication of.*dave.*failed::YES
+moon::ipsec status::ESTABLISHED.*carol::YES
+moon::ipsec status::ESTABLISHED.*dave::NO
+carol::ipsec status::ESTABLISHED::YES
+dave::ipsec status::ESTABLISHED::NO
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
new file mode 100755
index 000000000..cfde9714e
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=ifuri
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ left=PH_IP_CAROL
+ leftnexthop=%direct
+ leftcert=carolCert-ifuri.pem
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+
+conn alice
+ rightsubnet=PH_IP_ALICE/32
+ auto=add
+
+conn venus
+ rightsubnet=PH_IP_VENUS/32
+ auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
new file mode 100644
index 000000000..894bf7dbd
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/certs/carolCert-ifuri.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIID8TCCAtmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA3MDQyMDA5MjU1NFoXDTEyMDQxODA5MjU1
+NFowWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR
+dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO
+dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u
+57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw
+5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI
+hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC
+AwEAAaOByjCBxzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUi6jZ
+/eq7FoNJDiWP3Mlw9iaZzyIwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPd
+VCChSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu
+MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ8wHwYDVR0RBBgwFoEUY2Fy
+b2xAc3Ryb25nc3dhbi5vcmcwDQYJKoZIhvcNAQEFBQADggEBADHYFhLgIo3jrKcw
+bmfkqHLrwI0sHgyJJrEf1hl3cdc16VdKVW+V3qMwumdlMobK20yTRtW90x1ErULS
+RClHlQ5UtDubtQTwjcc6Uc8tOcBdAAH1SQk2xLikxQq19UGFpRRA0VxDXzF5yXnJ
+oM9mJZvgscQZeZPqMEXd3yQclK3Ouap70zE1J8kcyT/yrdkTM3nMbiq8aPytr3Al
+njoW+ToTsDqcTZYWeF3A3tfSZ5+AhlValx1btbcNPZVjjhBx46knOrOFeQLE5f5C
+3XYxVaWPX7hcjfQz/e3T4Rnb8nVQqoCnycUPfYxG/4z7pp/GplS/MEuMNNGDhSsI
+nTjnJgY=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..b91f9bf81
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi
+65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq
+8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6
+VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY
+hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu
+y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz
+0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX
+FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH
+gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z
+PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D
+nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El
+U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF
+mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm
+MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB
+UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy
+G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz
+Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY
+hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu
+PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah
+tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr
+s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy
+uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J
+ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu
+LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx
+Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU=
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..fac55d63b
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
new file mode 100755
index 000000000..1cea9f47c
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,26 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=ifuri
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ left=PH_IP_DAVE
+ leftnexthop=%direct
+ leftcert=daveCert-ifuri.pem
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+
+conn alice
+ rightsubnet=PH_IP_ALICE/32
+ auto=add
+
+conn venus
+ rightsubnet=PH_IP_VENUS/32
+ auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
new file mode 100644
index 000000000..c19c7333a
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/certs/daveCert-ifuri.pem
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEJjCCAw6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV
+BAMTCFNhbGVzIENBMB4XDTA3MDQyMDA5MzYwMFoXDTEyMDQxODA5MzYwMFowVjEL
+MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT
+BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG
+9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS
+zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+
+1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN
+P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+
++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP
+aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4IBCDCC
+AQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFILLnutR01FvK1SR
+EZgaOaO9d8izMG0GA1UdIwRmMGSAFF+bE0b5IHLIANWItadMLpfqC5MooUmkRzBF
+MQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UE
+AxMSc3Ryb25nU3dhbiBSb290IENBggENMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25n
+c3dhbi5vcmcwPAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzABhiBodHRwOi8vb2Nz
+cDIuc3Ryb25nc3dhbi5vcmc6ODg4MjANBgkqhkiG9w0BAQUFAAOCAQEAhhebUzkR
+5bllLrfSb0H+Uns0Fw/hfyrvJPjKOcb/otwPZOeGftGYQgihGu3X0Wi6IPX3/I6v
+tAnjYTyMXO68Cm2Zw3ZjjjSupQ3LOtyUhKPehk1EXNI5S1WnpYvEjocaBeT5DBaH
+fjMHL4L32dUcyzU49zbrkFEY7ffka44s3SUf4tEaw5QlBfAnwoij2A/rucokWNeQ
+6KVE9wfYJri6P7ztVTWFsAD6MXRCjzYrS6lOo02w32k2Rpp5SdAWuiwnXLY1BPi9
+U031sS6eh2aRM+u1UKuCGQtUDCMOI6yDv5U2aWQuxYS2uTW05PlWwKAg2atFt7uZ
+P35gzzpJWopPqw==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..022436de4
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6
+OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW
+1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI
+mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe
+ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM
+pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0
+mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c
+JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz
+0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq
+8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0
+3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u
+U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ
+Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs
+MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS
+sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B
+oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7
+1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i
+bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7
+AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO
+9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX
+3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw
+px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP
+qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt
+/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/
+UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g==
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
new file mode 100755
index 000000000..be96bd957
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,29 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ crlcheckinterval=180
+ strictcrlpolicy=ifuri
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ left=PH_IP_MOON
+ leftnexthop=%direct
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+
+conn alice
+ leftsubnet=PH_IP_ALICE/32
+ right=%any
+ rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA"
+ auto=add
+
+conn venus
+ leftsubnet=PH_IP_VENUS/32
+ right=%any
+ rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA"
+ auto=add
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
new file mode 100644
index 000000000..154cff654
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
new file mode 100644
index 000000000..e50477872
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz
+MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP
+GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV
+Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S
+uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO
+sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1
+vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/
+MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD
+VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI
+MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu
+IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV
+8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ
+9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr
+iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU
+uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv
+xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat
new file mode 100644
index 000000000..1646d5ed2
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
+
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
new file mode 100644
index 000000000..f15265e32
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat
@@ -0,0 +1,7 @@
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+dave::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up alice
+dave::ipsec up venus
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
new file mode 100644
index 000000000..08e5cc145
--- /dev/null
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-10 12:00:12 +0000