diff options
Diffstat (limited to 'testing/tests/ikev2/rw-eap-sim-id-radius/hosts')
15 files changed, 358 insertions, 0 deletions
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..a2020424e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..783587b55 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..d77b818fe --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,123 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf + sim_files { + simtriplets = "/etc/raddb/triplets.dat" + } +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..dfceb037d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,62 @@ +authorize { + preprocess + chap + mschap + sim_files + suffix + eap { + ok = return + } + unix + files + expiration + logintime + pap +} + +authenticate { + Auth-Type PAP { + pap + } + Auth-Type CHAP { + chap + } + Auth-Type MS-CHAP { + mschap + } + unix + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat new file mode 100644 index 000000000..2a750029f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat @@ -0,0 +1,3 @@ +232420100000015,30000000000000000000000000000000,30112233,305566778899AABB +232420100000015,31000000000000000000000000000000,31112233,315566778899AABB +232420100000015,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..404589348 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=eap + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + eap_identity=232420100000015 + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat new file mode 100644 index 000000000..2a750029f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.d/triplets.dat @@ -0,0 +1,3 @@ +232420100000015,30000000000000000000000000000000,30112233,305566778899AABB +232420100000015,31000000000000000000000000000000,31112233,315566778899AABB +232420100000015,32000000000000000000000000000000,32112233,325566778899AABB diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..ddd495699 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..cc451fc8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapsim eapsim-file eapidentity updown +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..08b920afd --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + authby=rsasig + eap=radius + eap_identity=%identity + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftfirewall=yes + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..10414b29a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke kernel-netlink fips-prf eapradius eapidentity updown + plugins { + eap_radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} |