diff options
Diffstat (limited to 'testing/tests/ikev2')
1452 files changed, 6244 insertions, 8062 deletions
diff --git a/testing/tests/ikev2/after-2038-certs/evaltest.dat b/testing/tests/ikev2/after-2038-certs/evaltest.dat index 1bb9c105f..427aa74da 100644 --- a/testing/tests/ikev2/after-2038-certs/evaltest.dat +++ b/testing/tests/ikev2/after-2038-certs/evaltest.dat @@ -1,6 +1,8 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf index bcdb8641b..e72f78742 100755..100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf index 274521386..1ee751360 100755..100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/after-2038-certs/posttest.dat b/testing/tests/ikev2/after-2038-certs/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/after-2038-certs/posttest.dat +++ b/testing/tests/ikev2/after-2038-certs/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/after-2038-certs/pretest.dat b/testing/tests/ikev2/after-2038-certs/pretest.dat index 4921d5097..baacc1605 100644 --- a/testing/tests/ikev2/after-2038-certs/pretest.dat +++ b/testing/tests/ikev2/after-2038-certs/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/after-2038-certs/test.conf b/testing/tests/ikev2/after-2038-certs/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/after-2038-certs/test.conf +++ b/testing/tests/ikev2/after-2038-certs/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-3des-md5/evaltest.dat b/testing/tests/ikev2/alg-3des-md5/evaltest.dat index 6f598c6f3..abd29e97e 100644 --- a/testing/tests/ikev2/alg-3des-md5/evaltest.dat +++ b/testing/tests/ikev2/alg-3des-md5/evaltest.dat @@ -1,13 +1,15 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES -carol::ipsec statusall::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -moon::ipsec statusall::rw.*3DES_CBC/HMAC_MD5_96,::YES -carol::ipsec statusall::home.*3DES_CBC/HMAC_MD5_96,::YES -moon::ip xfrm state::enc cbc(des3_ede)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*3DES_CBC/HMAC_MD5_96,::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_MD5_96,::YES +moon:: ip xfrm state::enc cbc(des3_ede)::YES carol::ip xfrm state::enc cbc(des3_ede)::YES -moon::ip xfrm state::auth hmac(md5)::YES -carol::ip xfrm state::auth hmac(md5)::YES +moon:: ip xfrm state::auth-trunc hmac(md5)::YES +carol::ip xfrm state::auth-trunc hmac(md5)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf index f2c71061d..1be5f1d8f 100755..100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf index c4fd80fc0..e961f081d 100755..100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-3des-md5/posttest.dat b/testing/tests/ikev2/alg-3des-md5/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-3des-md5/posttest.dat +++ b/testing/tests/ikev2/alg-3des-md5/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-3des-md5/pretest.dat b/testing/tests/ikev2/alg-3des-md5/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-3des-md5/pretest.dat +++ b/testing/tests/ikev2/alg-3des-md5/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-3des-md5/test.conf b/testing/tests/ikev2/alg-3des-md5/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-3des-md5/test.conf +++ b/testing/tests/ikev2/alg-3des-md5/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat index 0834a8db0..5a14b98d6 100644 --- a/testing/tests/ikev2/alg-aes-ccm/evaltest.dat +++ b/testing/tests/ikev2/alg-aes-ccm/evaltest.dat @@ -1,11 +1,13 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::IKE proposal: AES_CCM_12_128::YES -carol::ipsec statusall::IKE proposal: AES_CCM_12_128::YES -moon::ipsec statusall::AES_CCM_12_128,::YES -carol::ipsec statusall::AES_CCM_12_128,::YES -moon::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CCM_12_128::YES +moon:: ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES +carol::ipsec statusall 2> /dev/null::AES_CCM_12_128,::YES +moon:: ip xfrm state::aead rfc4309(ccm(aes))::YES carol::ip xfrm state::aead rfc4309(ccm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf index 6bcfbc28d..03707f89f 100755..100644 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf index db2c09bae..d70d7b989 100644 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf index 1d6f13861..d7ed92f7e 100755..100644 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf index db2c09bae..d70d7b989 100644 --- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ccm stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-ccm/posttest.dat b/testing/tests/ikev2/alg-aes-ccm/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-aes-ccm/posttest.dat +++ b/testing/tests/ikev2/alg-aes-ccm/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-aes-ccm/pretest.dat b/testing/tests/ikev2/alg-aes-ccm/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-aes-ccm/pretest.dat +++ b/testing/tests/ikev2/alg-aes-ccm/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-aes-ccm/test.conf b/testing/tests/ikev2/alg-aes-ccm/test.conf index acb73b06f..11423f723 100644 --- a/testing/tests/ikev2/alg-aes-ccm/test.conf +++ b/testing/tests/ikev2/alg-aes-ccm/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat index 522ce6088..6a5203a2d 100644 --- a/testing/tests/ikev2/alg-aes-ctr/evaltest.dat +++ b/testing/tests/ikev2/alg-aes-ctr/evaltest.dat @@ -1,11 +1,13 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::IKE proposal: AES_CTR_128::YES -carol::ipsec statusall::IKE proposal: AES_CTR_128::YES -moon::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES -carol::ipsec statusall::AES_CTR_128/AES_XCBC_96,::YES -moon::ip xfrm state::rfc3686(ctr(aes))::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: AES_CTR_128::YES +moon:: ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES +carol::ipsec statusall 2> /dev/null::AES_CTR_128/AES_XCBC_96,::YES +moon:: ip xfrm state::rfc3686(ctr(aes))::YES carol::ip xfrm state::rfc3686(ctr(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf index 70c482835..3be20c613 100755..100644 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf index be46d6d3e..e607bbae7 100644 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf index bf103742f..1cf16ee38 100755..100644 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf index be46d6d3e..e607bbae7 100644 --- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc ctr stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-ctr/posttest.dat b/testing/tests/ikev2/alg-aes-ctr/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-aes-ctr/posttest.dat +++ b/testing/tests/ikev2/alg-aes-ctr/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-aes-ctr/pretest.dat b/testing/tests/ikev2/alg-aes-ctr/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-aes-ctr/pretest.dat +++ b/testing/tests/ikev2/alg-aes-ctr/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-aes-ctr/test.conf b/testing/tests/ikev2/alg-aes-ctr/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-aes-ctr/test.conf +++ b/testing/tests/ikev2/alg-aes-ctr/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat index 9cd3e8e15..ce27fcc05 100644 --- a/testing/tests/ikev2/alg-aes-gcm/evaltest.dat +++ b/testing/tests/ikev2/alg-aes-gcm/evaltest.dat @@ -1,11 +1,13 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::IKE proposal: AES_GCM_16_256::YES -carol::ipsec statusall::IKE proposal: AES_GCM_16_256::YES -moon::ipsec statusall::AES_GCM_16_256,::YES -carol::ipsec statusall::AES_GCM_16_256,::YES -moon::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES +moon:: ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES +carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES +moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES carol::ip xfrm state::aead rfc4106(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf index e3f19aff8..7a808ff65 100755..100644 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf index 7fe7619f1..e063e446a 100644 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf index 0d51a3ea8..12a35cb8a 100755..100644 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf index 7fe7619f1..e063e446a 100644 --- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc gcm stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-gcm/posttest.dat b/testing/tests/ikev2/alg-aes-gcm/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-aes-gcm/posttest.dat +++ b/testing/tests/ikev2/alg-aes-gcm/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-aes-gcm/pretest.dat b/testing/tests/ikev2/alg-aes-gcm/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-aes-gcm/pretest.dat +++ b/testing/tests/ikev2/alg-aes-gcm/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-aes-gcm/test.conf b/testing/tests/ikev2/alg-aes-gcm/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-aes-gcm/test.conf +++ b/testing/tests/ikev2/alg-aes-gcm/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat index 24e36eb77..f11018347 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat @@ -1,12 +1,14 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES -carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -moon::ipsec statusall::rw.*AES_CBC_128/AES_XCBC_96,::YES -carol::ipsec statusall::home.*AES_CBC_128/AES_XCBC_96,::YES -moon::ip xfrm state::auth xcbc(aes)::YES -carol::ip xfrm state::auth xcbc(aes)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES +moon:: ip xfrm state::auth-trunc xcbc(aes)::YES +carol::ip xfrm state::auth-trunc xcbc(aes)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf index 33e6a842b..74668e7fb 100755..100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf index 208477deb..3cda72935 100755..100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/posttest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/pretest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-aes-xcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/test.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-blowfish/evaltest.dat b/testing/tests/ikev2/alg-blowfish/evaltest.dat index f1b33895b..f76522c5c 100644 --- a/testing/tests/ikev2/alg-blowfish/evaltest.dat +++ b/testing/tests/ikev2/alg-blowfish/evaltest.dat @@ -1,14 +1,15 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ipsec statusall::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_256/HMAC_SHA2_512_256::YES +dave:: ipsec statusall 2> /dev/null::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ipsec statusall 2> /dev/null::BLOWFISH_CBC_192/HMAC_SHA2_256_128,::YES +dave:: ipsec statusall 2> /dev/null::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES carol::ip -s xfrm state::enc cbc(blowfish).*(192 bits)::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::IKE proposal: BLOWFISH_CBC_128/HMAC_SHA2_256_128::YES -dave::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec statusall::BLOWFISH_CBC_128/HMAC_SHA1_96,::YES -dave::ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES +dave:: ip -s xfrm state::enc cbc(blowfish).*(128 bits)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf index a78724926..89674b2a1 100755..100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="cfg 2" conn %default diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index fed4f5ece..1f0fd41a8 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf index 26f3f3a04..df3242d61 100755..100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf index fed4f5ece..1f0fd41a8 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf index 5183e26d2..82804a0fe 100755..100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="cfg 2" conn %default diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index fed4f5ece..1f0fd41a8 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/posttest.dat b/testing/tests/ikev2/alg-blowfish/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/alg-blowfish/posttest.dat +++ b/testing/tests/ikev2/alg-blowfish/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-blowfish/pretest.dat b/testing/tests/ikev2/alg-blowfish/pretest.dat index 42e9d7c24..8bbea1412 100644 --- a/testing/tests/ikev2/alg-blowfish/pretest.dat +++ b/testing/tests/ikev2/alg-blowfish/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/alg-blowfish/test.conf b/testing/tests/ikev2/alg-blowfish/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/alg-blowfish/test.conf +++ b/testing/tests/ikev2/alg-blowfish/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat index 80df206bf..5e4ab98b3 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat +++ b/testing/tests/ikev2/alg-modp-subgroup/evaltest.dat @@ -1,13 +1,17 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_1024_160::YES -dave::cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES -moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::DH group MODP_2048_224.*MODP_2048_256::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024_160::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf index 257923d02..84c9c8c7c 100755..100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf index 9b5247973..5402f24f3 100755..100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf index 2b66e3400..84b3d6880 100755..100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/posttest.dat +++ b/testing/tests/ikev2/alg-modp-subgroup/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat index 42e9d7c24..8bbea1412 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/pretest.dat +++ b/testing/tests/ikev2/alg-modp-subgroup/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/alg-modp-subgroup/test.conf b/testing/tests/ikev2/alg-modp-subgroup/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/test.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat index 7ec47aadf..6c4e23710 100644 --- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat +++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat @@ -1,13 +1,15 @@ -moon::cat /var/log/daemon.log::received strongSwan vendor id::YES -carol::cat /var/log/daemon.log::received strongSwan vendor id::YES -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES -carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES -moon::ip xfrm state::auth hmac(sha256)::YES -carol::ip xfrm state::auth hmac(sha256)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES +carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES +moon:: ip xfrm state::auth-trunc hmac(sha256)::YES +carol::ip xfrm state::auth-trunc hmac(sha256)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196::YES diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf index 47cf1e12c..0d3b9fd45 100755..100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf index 53061a59b..eacadc544 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf index d340aaf70..b0a5c4616 100755..100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf index 53061a59b..eacadc544 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-sha256-96/posttest.dat b/testing/tests/ikev2/alg-sha256-96/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-sha256-96/posttest.dat +++ b/testing/tests/ikev2/alg-sha256-96/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-sha256-96/pretest.dat b/testing/tests/ikev2/alg-sha256-96/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-sha256-96/pretest.dat +++ b/testing/tests/ikev2/alg-sha256-96/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-sha256-96/test.conf b/testing/tests/ikev2/alg-sha256-96/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-sha256-96/test.conf +++ b/testing/tests/ikev2/alg-sha256-96/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat index 2d1cc92bb..eba856742 100644 --- a/testing/tests/ikev2/alg-sha256/evaltest.dat +++ b/testing/tests/ikev2/alg-sha256/evaltest.dat @@ -1,11 +1,13 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -carol::ipsec statusall::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -moon::ipsec statusall::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES -carol::ipsec statusall::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES -moon::ip xfrm state::auth hmac(sha256)::YES -carol::ip xfrm state::auth hmac(sha256)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES +moon:: ip xfrm state::auth-trunc hmac(sha256)::YES +carol::ip xfrm state::auth-trunc hmac(sha256)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 200::YES diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf index d2b763a1b..22d2cd38a 100755..100644 --- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf index 0e38bbb84..543374d76 100755..100644 --- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha256/posttest.dat b/testing/tests/ikev2/alg-sha256/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-sha256/posttest.dat +++ b/testing/tests/ikev2/alg-sha256/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-sha256/pretest.dat b/testing/tests/ikev2/alg-sha256/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-sha256/pretest.dat +++ b/testing/tests/ikev2/alg-sha256/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-sha256/test.conf b/testing/tests/ikev2/alg-sha256/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-sha256/test.conf +++ b/testing/tests/ikev2/alg-sha256/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat index 31bb64c5e..3b24217c5 100644 --- a/testing/tests/ikev2/alg-sha384/evaltest.dat +++ b/testing/tests/ikev2/alg-sha384/evaltest.dat @@ -1,11 +1,13 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES -carol::ipsec statusall::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -moon::ipsec statusall::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES -carol::ipsec statusall::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES -moon::ip xfrm state::auth hmac(sha384)::YES -carol::ip xfrm state::auth hmac(sha384)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES +moon:: ip xfrm state::auth-trunc hmac(sha384)::YES +carol::ip xfrm state::auth-trunc hmac(sha384)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 208::YES diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf index d38b7dfcf..e02d90b78 100755..100644 --- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf index ea84cd8a4..990fce1d0 100755..100644 --- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha384/posttest.dat b/testing/tests/ikev2/alg-sha384/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-sha384/posttest.dat +++ b/testing/tests/ikev2/alg-sha384/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-sha384/pretest.dat b/testing/tests/ikev2/alg-sha384/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-sha384/pretest.dat +++ b/testing/tests/ikev2/alg-sha384/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-sha384/test.conf b/testing/tests/ikev2/alg-sha384/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-sha384/test.conf +++ b/testing/tests/ikev2/alg-sha384/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/alg-sha512/evaltest.dat b/testing/tests/ikev2/alg-sha512/evaltest.dat index e0f5fb7a3..6bdceeb44 100644 --- a/testing/tests/ikev2/alg-sha512/evaltest.dat +++ b/testing/tests/ikev2/alg-sha512/evaltest.dat @@ -1,11 +1,13 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES -carol::ipsec statusall::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES -carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES -moon::ipsec statusall::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES -carol::ipsec statusall::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES -moon::ip xfrm state::auth hmac(sha512)::YES -carol::ip xfrm state::auth hmac(sha512)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES +carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_4096::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_256/HMAC_SHA2_512_256,::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256,::YES +moon:: ip xfrm state::auth-trunc hmac(sha512)::YES +carol::ip xfrm state::auth-trunc hmac(sha512)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 216::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 216::YES diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf index 583522d1b..13ab244bb 100755..100644 --- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf index 40fec93c0..e6d410442 100755..100644 --- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha512/posttest.dat b/testing/tests/ikev2/alg-sha512/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/alg-sha512/posttest.dat +++ b/testing/tests/ikev2/alg-sha512/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/alg-sha512/pretest.dat b/testing/tests/ikev2/alg-sha512/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/alg-sha512/pretest.dat +++ b/testing/tests/ikev2/alg-sha512/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/alg-sha512/test.conf b/testing/tests/ikev2/alg-sha512/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/alg-sha512/test.conf +++ b/testing/tests/ikev2/alg-sha512/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/any-interface/evaltest.dat b/testing/tests/ikev2/any-interface/evaltest.dat index f475ba70b..800ae4353 100644 --- a/testing/tests/ikev2/any-interface/evaltest.dat +++ b/testing/tests/ikev2/any-interface/evaltest.dat @@ -1,10 +1,17 @@ -moon::cat /var/log/daemon.log::creating acquire job::YES -bob::cat /var/log/daemon.log::creating acquire job::YES -moon::ipsec statusall::alice.*INSTALLED, TRANSPORT::YES -moon::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES -alice::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES -sun::ipsec statusall::remote.*INSTALLED, TRANSPORT::YES -bob::ipsec statusall::sun.*INSTALLED, TRANSPORT::YES +moon:: cat /var/log/daemon.log::creating acquire job::YES +bob:: cat /var/log/daemon.log::creating acquire job::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*CN=moon.strongswan.org.*CN=alice@strongswan.org::YES +moon:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=moon.strongswan.org.*CN=sun.strongswan.org::YES +alice::ipsec status 2> /dev/null::remote.*ESTABLISHED.*CN=alice@strongswan.org.*CN=moon.strongswan.org::YES +sun:: ipsec status 2> /dev/null::remote\[1]: ESTABLISHED.*CN=sun.strongswan.org.*CN=moon.strongswan.org::YES +sun:: ipsec status 2> /dev/null::remote\[2]: ESTABLISHED.*CN=sun.strongswan.org.*CN=bob@strongswan.org::YES +bob:: ipsec status 2> /dev/null::sun.*ESTABLISHED.*CN=bob@strongswan.org.*CN=sun.strongswan.org::YES +moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TRANSPORT::YES +moon:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES +alice::ipsec status 2> /dev/null::remote.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::remote[{]1}.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::remote[{]2}.*INSTALLED, TRANSPORT::YES +bob:: ipsec status 2> /dev/null::sun.*INSTALLED, TRANSPORT::YES alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf index eb7dfe848..4f2c78fd3 100755..100644 --- a/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf index cb1485446..a14fc560c 100644 --- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf index 40d029b3e..c232c4332 100755..100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf index cb1485446..a14fc560c 100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf index ab0534331..17fcf0a7a 100755..100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf index cb1485446..a14fc560c 100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf index 71699b08e..fce24ef25 100755..100644 --- a/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf index cb1485446..a14fc560c 100644 --- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/pretest.dat b/testing/tests/ikev2/any-interface/pretest.dat index b8e91194e..0a6ce8be4 100644 --- a/testing/tests/ikev2/any-interface/pretest.dat +++ b/testing/tests/ikev2/any-interface/pretest.dat @@ -1,5 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON winnetou::ip route add 10.2.0.0/16 via PH_IP_SUN alice::ipsec start diff --git a/testing/tests/ikev2/any-interface/test.conf b/testing/tests/ikev2/any-interface/test.conf index 25e5cd872..cc04d45e6 100644 --- a/testing/tests/ikev2/any-interface/test.conf +++ b/testing/tests/ikev2/any-interface/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="alice sun bob" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice moon sun bob" diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat index 22dd94866..b989a7774 100644 --- a/testing/tests/ikev2/compress/evaltest.dat +++ b/testing/tests/ikev2/compress/evaltest.dat @@ -1,8 +1,10 @@ -moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES -moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES -carol::ipsec status::home.*INSTALLED::YES -moon::ipsec status::rw.*INSTALLED::YES -moon::ip xfrm state::proto comp spi::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL.*IPCOMP::YES +moon:: cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUP)::YES +moon:: cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUP)::YES +moon:: ip xfrm state::proto comp spi::YES carol::ip xfrm state::proto comp spi::YES carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf index 670a50c00..7502175e7 100755..100644 --- a/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf index 91abfd4da..aa1be047e 100755..100644 --- a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat index 7d077c126..f5aa989fe 100644 --- a/testing/tests/ikev2/compress/pretest.dat +++ b/testing/tests/ikev2/compress/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start moon::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/compress/test.conf b/testing/tests/ikev2/compress/test.conf index 6abbb89a9..d7b71426c 100644 --- a/testing/tests/ikev2/compress/test.conf +++ b/testing/tests/ikev2/compress/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/config-payload-swapped/evaltest.dat b/testing/tests/ikev2/config-payload-swapped/evaltest.dat index 73d5ea206..b6a1c96a6 100644 --- a/testing/tests/ikev2/config-payload-swapped/evaltest.dat +++ b/testing/tests/ikev2/config-payload-swapped/evaltest.dat @@ -1,15 +1,19 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status::home.*INSTALLED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*INSTALLED::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw-carol.*INSTALLED::YES -moon::ipsec status::rw-dave.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf index 6894a952c..c453475e0 100755..100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf index cefbc8270..9da73d9a2 100755..100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf index 222673704..ef974c98f 100755..100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload-swapped/posttest.dat b/testing/tests/ikev2/config-payload-swapped/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/config-payload-swapped/posttest.dat +++ b/testing/tests/ikev2/config-payload-swapped/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/config-payload-swapped/pretest.dat b/testing/tests/ikev2/config-payload-swapped/pretest.dat index 014e80517..3864bdac3 100644 --- a/testing/tests/ikev2/config-payload-swapped/pretest.dat +++ b/testing/tests/ikev2/config-payload-swapped/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/config-payload-swapped/test.conf b/testing/tests/ikev2/config-payload-swapped/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/config-payload-swapped/test.conf +++ b/testing/tests/ikev2/config-payload-swapped/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/config-payload/evaltest.dat b/testing/tests/ikev2/config-payload/evaltest.dat index 3451112cc..b46dfddf6 100644 --- a/testing/tests/ikev2/config-payload/evaltest.dat +++ b/testing/tests/ikev2/config-payload/evaltest.dat @@ -1,17 +1,21 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES -carol::ipsec status::home.*INSTALLED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*INSTALLED::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw-carol.*INSTALLED::YES -moon::ipsec status::rw-dave.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf index cb5f6406b..0e4e57729 100644 --- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf index cb5f6406b..0e4e57729 100644 --- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf index bb558fe25..a8cf08544 100755..100644 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf index f763e3ef1..002166a54 100644 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf @@ -1,7 +1,8 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr + dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev2/config-payload/posttest.dat b/testing/tests/ikev2/config-payload/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/config-payload/posttest.dat +++ b/testing/tests/ikev2/config-payload/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/config-payload/pretest.dat b/testing/tests/ikev2/config-payload/pretest.dat index 014e80517..3864bdac3 100644 --- a/testing/tests/ikev2/config-payload/pretest.dat +++ b/testing/tests/ikev2/config-payload/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/config-payload/test.conf b/testing/tests/ikev2/config-payload/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/config-payload/test.conf +++ b/testing/tests/ikev2/config-payload/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat index 8c2f8ec9d..05c2c2f4d 100644 --- a/testing/tests/ikev2/critical-extension/evaltest.dat +++ b/testing/tests/ikev2/critical-extension/evaltest.dat @@ -1,6 +1,8 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED::NO moon::cat /var/log/daemon.log::sending end entity cert::YES moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES -sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES -sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES -sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES +sun:: cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES +sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun:: cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun:: cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf index 2e3c9dde4..3b065774f 100755..100644 --- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf index bfc83ab4d..c393b298a 100644 --- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf index 19e197131..2b4406d75 100755..100644 --- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat index a4c96e10f..837738fc6 100644 --- a/testing/tests/ikev2/critical-extension/posttest.dat +++ b/testing/tests/ikev2/critical-extension/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat index 2d7a78acb..c724e5df8 100644 --- a/testing/tests/ikev2/critical-extension/pretest.dat +++ b/testing/tests/ikev2/critical-extension/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf index 41ee3037e..b286ef6eb 100644 --- a/testing/tests/ikev2/critical-extension/test.conf +++ b/testing/tests/ikev2/critical-extension/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat index 2f4cf7afa..2d649bbee 100644 --- a/testing/tests/ikev2/crl-from-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat @@ -1,10 +1,12 @@ -moon::cat /var/log/daemon.log::loaded crl from::YES -moon::cat /var/log/daemon.log::crl is valid::YES -moon::cat /var/log/daemon.log::certificate status is good::YES -moon::ipsec listcrls:: ok::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::loaded crl from::YES +moon:: cat /var/log/daemon.log::crl is valid::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES +moon:: cat /var/log/daemon.log::using cached crl::YES +moon:: ipsec listcrls 2> /dev/null:: ok::YES carol::cat /var/log/daemon.log::loaded crl from::YES carol::cat /var/log/daemon.log::crl is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -carol::ipsec listcrls:: ok::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES +carol::cat /var/log/daemon.log::using cached crl::YES +carol::ipsec listcrls 2> /dev/null:: ok::YES diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf index 4d47c831c..17a58545c 100755..100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes cachecrls=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf index 9488a6822..3314f7538 100755..100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes cachecrls=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-from-cache/test.conf b/testing/tests/ikev2/crl-from-cache/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/crl-from-cache/test.conf +++ b/testing/tests/ikev2/crl-from-cache/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat index 5ab094401..b0774c64d 100644 --- a/testing/tests/ikev2/crl-ldap/evaltest.dat +++ b/testing/tests/ikev2/crl-ldap/evaltest.dat @@ -1,12 +1,12 @@ -moon::cat /var/log/daemon.log::loaded crl from::YES -moon::cat /var/log/daemon.log::crl is stale::YES -moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES -moon::cat /var/log/daemon.log::crl is valid::YES -moon::cat /var/log/daemon.log::certificate status is good::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::loaded crl from::YES +moon:: cat /var/log/daemon.log::crl is stale::YES +moon:: cat /var/log/daemon.log::fetching crl from.*ldap::YES +moon:: cat /var/log/daemon.log::crl is valid::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES carol::cat /var/log/daemon.log::loaded crl from::YES carol::cat /var/log/daemon.log::crl is stale::YES carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES carol::cat /var/log/daemon.log::crl is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables deleted file mode 100755 index 999d0d183..000000000 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/init.d/iptables +++ /dev/null @@ -1,77 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow ldap crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf index 26d34de47..69ba4205f 100755..100644 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes cachecrls=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..debcc2181 --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow ldap crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf index cccd6ae27..d0c3f8c49 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 4f4f3228b..000000000 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,80 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow ldap crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf index 1d2a68528..25656cbda 100755..100644 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes cachecrls=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..debcc2181 --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow ldap crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf index cccd6ae27..d0c3f8c49 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/crl-ldap/posttest.dat b/testing/tests/ikev2/crl-ldap/posttest.dat index bddd87424..8474bd3aa 100644 --- a/testing/tests/ikev2/crl-ldap/posttest.dat +++ b/testing/tests/ikev2/crl-ldap/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop winnetou::/etc/init.d/slapd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/crls/* carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/ikev2/crl-ldap/pretest.dat b/testing/tests/ikev2/crl-ldap/pretest.dat index 64fa8116b..8ffa9d3ed 100644 --- a/testing/tests/ikev2/crl-ldap/pretest.dat +++ b/testing/tests/ikev2/crl-ldap/pretest.dat @@ -1,6 +1,6 @@ winnetou::/etc/init.d/slapd start -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/crl-ldap/test.conf b/testing/tests/ikev2/crl-ldap/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/crl-ldap/test.conf +++ b/testing/tests/ikev2/crl-ldap/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 62ed8676a..4f3e10ba1 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::certificate was revoked::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO +moon:: cat /var/log/daemon.log::certificate was revoked::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -moon::ipsec status::rw.*ESTABLISHED::NO -carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf index cbab29414..95cd144ba 100755..100644 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf index dd50c335b..918d97413 100755..100644 --- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-revoked/test.conf b/testing/tests/ikev2/crl-revoked/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/crl-revoked/test.conf +++ b/testing/tests/ikev2/crl-revoked/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat index afc8f67e4..fe6a55aae 100644 --- a/testing/tests/ikev2/crl-to-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat @@ -1,4 +1,4 @@ -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES carol::cat /var/log/daemon.log::written crl .*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf index 4d47c831c..17a58545c 100755..100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes cachecrls=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf index 9488a6822..3314f7538 100755..100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes cachecrls=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-to-cache/test.conf b/testing/tests/ikev2/crl-to-cache/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/crl-to-cache/test.conf +++ b/testing/tests/ikev2/crl-to-cache/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/default-keys/description.txt b/testing/tests/ikev2/default-keys/description.txt index 639e909da..889f8297a 100644 --- a/testing/tests/ikev2/default-keys/description.txt +++ b/testing/tests/ikev2/default-keys/description.txt @@ -1,8 +1,8 @@ Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b> and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key -and a self-signed X.509 certificate. Because the UML testing environment does -not offer enough entropy, the non-blocking /dev/urandom device is used in place -of /dev/random for generating the random primes. +and a self-signed X.509 certificate. Because the virtual testing environment +does not offer enough entropy, the non-blocking /dev/urandom device is used in +place of /dev/random for generating the random primes. <p> The self-signed certificates are then distributed to the peers via scp and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/ikev2/default-keys/evaltest.dat b/testing/tests/ikev2/default-keys/evaltest.dat index 2c1e11c97..4df2d1e11 100644 --- a/testing/tests/ikev2/default-keys/evaltest.dat +++ b/testing/tests/ikev2/default-keys/evaltest.dat @@ -1,7 +1,9 @@ carol::cat /var/log/auth.log::scepclient::YES -moon::cat /var/log/auth.log::scepclient::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -moon::ipsec statusall::carol.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/auth.log::scepclient::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*CN=carol.*CN=moon::YES +moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*CN=moon.*CN=carol::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf index 9574f18bb..15aba18e5 100755..100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf index eabe265ca..5a243caab 100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce } diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 5a262c084..000000000 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,82 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A INPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf index 5b2c4e3f4..278943d28 100755..100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..72a1c17c3 --- /dev/null +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/iptables.rules @@ -0,0 +1,30 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --sport 22 -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT +-A OUTPUT -p tcp --dport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf index eabe265ca..5a243caab 100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce } diff --git a/testing/tests/ikev2/default-keys/posttest.dat b/testing/tests/ikev2/default-keys/posttest.dat index 8cada5e7e..25f737ecc 100644 --- a/testing/tests/ikev2/default-keys/posttest.dat +++ b/testing/tests/ikev2/default-keys/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush carol::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat index 88f9a2ca9..ef5f67097 100644 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ b/testing/tests/ikev2/default-keys/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules carol::rm /etc/ipsec.secrets carol::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/certs/* @@ -10,9 +10,10 @@ moon::rm /etc/ipsec.d/private/* moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/cacerts/* moon::ipsec start -moon::sleep 5 +moon::sleep 5 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der -moon::ipsec reload -carol::ipsec reload +moon::ipsec reload +carol::ipsec reload +carol::sleep 1 carol::ipsec up home diff --git a/testing/tests/ikev2/default-keys/test.conf b/testing/tests/ikev2/default-keys/test.conf index 0baa48d90..ce84ce41a 100644 --- a/testing/tests/ikev2/default-keys/test.conf +++ b/testing/tests/ikev2/default-keys/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol" +VIRTHOSTS="alice moon carol" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat index b3814084f..9e536870e 100644 --- a/testing/tests/ikev2/dhcp-dynamic/evaltest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/evaltest.dat @@ -1,21 +1,25 @@ -carol::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_seq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.50/32::YES -moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.51/32::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_req=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.50/32::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.51/32::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::arp reply carol3.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply carol3.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo request::YES alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP carol3.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol3.strongswan.org: ICMP echo reply::YES -alice::tcpdump::arp reply dave3.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply dave3.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > dave3.strongswan.org: ICMP echo request::YES alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP dave3.strongswan.org > alice.strongswan.org: ICMP echo request::YES diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 058bebb2d..000000000 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow bootpc and bootps - iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT - iptables -A INPUT -p udp --sport bootps --dport bootps -j ACCEPT - - # allow broadcasts from eth1 - iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - # log dropped packets - iptables -A INPUT -j LOG --log-prefix " IN: " - iptables -A OUTPUT -j LOG --log-prefix " OUT: " - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf index 3868a7a38..a774f2a76 100755..100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..2d9a466b0 --- /dev/null +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/iptables.rules @@ -0,0 +1,39 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow bootpc and bootps +-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +-A INPUT -p udp --sport bootps --dport bootps -j ACCEPT + +# allow broadcasts from eth1 +-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf index 317e4ddc0..609d35754 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf index 2176af702..7a178505f 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcpd.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dhcp/dhcpd.conf @@ -4,11 +4,11 @@ ddns-update-style none; subnet 10.1.0.0 netmask 255.255.0.0 { option domain-name "strongswan.org"; - option domain-name-servers 10.1.0.20; - option netbios-name-servers 10.1.0.10; - option routers 10.1.0.1; + option domain-name-servers PH_IP_VENUS; + option netbios-name-servers PH_IP_ALICE; + option routers PH_IP_MOON1; option broadcast-address 10.1.255.255; - next-server 10.1.0.20; + next-server PH_IP_VENUS; range 10.1.0.50 10.1.0.60; } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf index 2d35dfd64..ec8c945a7 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/dnsmasq.conf @@ -1,7 +1,7 @@ interface=eth0 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255 -dhcp-option=option:router,10.1.0.1 -dhcp-option=option:dns-server,10.1.0.20 -dhcp-option=option:netbios-ns,10.1.0.10 +dhcp-option=option:router,PH_IP_MOON1 +dhcp-option=option:dns-server,PH_IP_VENUS +dhcp-option=option:netbios-ns,PH_IP_ALICE dhcp-option=option:domain-name,strongswan.org log-dhcp diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd deleted file mode 100755 index 4044dcc35..000000000 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/venus/etc/init.d/dhcpd +++ /dev/null @@ -1,24 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop" - -depend() { - need net - need logger -} - -start() { - ebegin "Starting DHCP server" - start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd - eend $? -} - -stop() { - ebegin "Stopping DHCP server" - start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid - rm -f /var/state/dhcp/dhcpd.leases - touch /var/state/dhcp/dhcpd.leases - eend $? -} diff --git a/testing/tests/ikev2/dhcp-dynamic/posttest.dat b/testing/tests/ikev2/dhcp-dynamic/posttest.dat index 1f5487596..f783127bf 100644 --- a/testing/tests/ikev2/dhcp-dynamic/posttest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/posttest.dat @@ -2,9 +2,9 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop venus::cat /var/state/dhcp/dhcpd.leases -venus::/etc/init.d/dhcpd stop 2> /dev/null -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush alice::arp -d 10.1.0.50 alice::arp -d 10.1.0.51 diff --git a/testing/tests/ikev2/dhcp-dynamic/pretest.dat b/testing/tests/ikev2/dhcp-dynamic/pretest.dat index bd36b4fe3..5670a2e89 100644 --- a/testing/tests/ikev2/dhcp-dynamic/pretest.dat +++ b/testing/tests/ikev2/dhcp-dynamic/pretest.dat @@ -1,12 +1,12 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -venus::cat /etc/dhcpd.conf -venus::/etc/init.d/dhcpd start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +venus::cat /etc/dhcp/dhcpd.conf +venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::sleep 2 carol::ipsec up home dave::ipsec up home carol::sleep 1 diff --git a/testing/tests/ikev2/dhcp-dynamic/test.conf b/testing/tests/ikev2/dhcp-dynamic/test.conf index a2ad7b25f..fd8a59c90 100644 --- a/testing/tests/ikev2/dhcp-dynamic/test.conf +++ b/testing/tests/ikev2/dhcp-dynamic/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat index 8abd2416a..c95b69a11 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat +++ b/testing/tests/ikev2/dhcp-static-client-id/evaltest.dat @@ -1,21 +1,25 @@ -carol::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES -moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES -alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 058bebb2d..000000000 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow bootpc and bootps - iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT - iptables -A INPUT -p udp --sport bootps --dport bootps -j ACCEPT - - # allow broadcasts from eth1 - iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - # log dropped packets - iptables -A INPUT -j LOG --log-prefix " IN: " - iptables -A OUTPUT -j LOG --log-prefix " OUT: " - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf index 3868a7a38..a774f2a76 100755..100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..2d9a466b0 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/iptables.rules @@ -0,0 +1,39 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow bootpc and bootps +-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +-A INPUT -p udp --sport bootps --dport bootps -j ACCEPT + +# allow broadcasts from eth1 +-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf index 317e4ddc0..609d35754 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf index 44ee681b6..334ea30e2 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcpd.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dhcp/dhcpd.conf @@ -4,11 +4,11 @@ ddns-update-style none; subnet 10.1.0.0 netmask 255.255.0.0 { option domain-name "strongswan.org"; - option domain-name-servers 10.1.0.20; - option netbios-name-servers 10.1.0.10; - option routers 10.1.0.1; + option domain-name-servers PH_IP_VENUS; + option netbios-name-servers PH_IP_ALICE; + option routers PH_IP_MOON1; option broadcast-address 10.1.255.255; - next-server 10.1.0.20; + next-server PH_IP_VENUS; range 10.1.0.50 10.1.0.60; } @@ -22,4 +22,3 @@ host dave { option dhcp-client-identifier "dave@strongswan.org"; fixed-address 10.1.0.40; } - diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf index 5672236a0..aca225955 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/dnsmasq.conf @@ -2,8 +2,8 @@ interface=eth0 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255 dhcp-host=id:carol@strongswan.org,10.1.0.30 dhcp-host=id:dave@strongswan.org,10.1.0.40 -dhcp-option=option:router,10.1.0.1 -dhcp-option=option:dns-server,10.1.0.20 -dhcp-option=option:netbios-ns,10.1.0.10 +dhcp-option=option:router,PH_IP_MOON1 +dhcp-option=option:dns-server,PH_IP_VENUS +dhcp-option=option:netbios-ns,PH_IP_ALICE dhcp-option=option:domain-name,strongswan.org log-dhcp diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd deleted file mode 100755 index 4044dcc35..000000000 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/venus/etc/init.d/dhcpd +++ /dev/null @@ -1,24 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop" - -depend() { - need net - need logger -} - -start() { - ebegin "Starting DHCP server" - start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd - eend $? -} - -stop() { - ebegin "Stopping DHCP server" - start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid - rm -f /var/state/dhcp/dhcpd.leases - touch /var/state/dhcp/dhcpd.leases - eend $? -} diff --git a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat index e1aadc618..7fff9981b 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/posttest.dat +++ b/testing/tests/ikev2/dhcp-static-client-id/posttest.dat @@ -1,9 +1,9 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -venus::/etc/init.d/dhcpd stop 2> /dev/null -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush alice::arp -d 10.1.0.30 alice::arp -d 10.1.0.40 diff --git a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat index bd36b4fe3..5670a2e89 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-client-id/pretest.dat @@ -1,12 +1,12 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -venus::cat /etc/dhcpd.conf -venus::/etc/init.d/dhcpd start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +venus::cat /etc/dhcp/dhcpd.conf +venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::sleep 2 carol::ipsec up home dave::ipsec up home carol::sleep 1 diff --git a/testing/tests/ikev2/dhcp-static-client-id/test.conf b/testing/tests/ikev2/dhcp-static-client-id/test.conf index a2ad7b25f..fd8a59c90 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/test.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat index 8abd2416a..c95b69a11 100644 --- a/testing/tests/ikev2/dhcp-static-mac/evaltest.dat +++ b/testing/tests/ikev2/dhcp-static-mac/evaltest.dat @@ -1,21 +1,25 @@ -carol::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.30/32::YES -moon::ipsec status::rw{.*10.1.0.0/16 === 10.1.0.40/32::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*10.1.0.0/16 === 10.1.0.30/32::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*10.1.0.0/16 === 10.1.0.40/32::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES -alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 058bebb2d..000000000 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow bootpc and bootps - iptables -A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT - iptables -A INPUT -p udp --sport bootps --dport bootps -j ACCEPT - - # allow broadcasts from eth1 - iptables -A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - # log dropped packets - iptables -A INPUT -j LOG --log-prefix " IN: " - iptables -A OUTPUT -j LOG --log-prefix " OUT: " - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf index 3868a7a38..a774f2a76 100755..100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..2d9a466b0 --- /dev/null +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/iptables.rules @@ -0,0 +1,39 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow bootpc and bootps +-A OUTPUT -p udp --sport bootpc --dport bootps -j ACCEPT +-A INPUT -p udp --sport bootps --dport bootps -j ACCEPT + +# allow broadcasts from eth1 +-A INPUT -i eth1 -d 10.1.255.255 -j ACCEPT + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# log dropped packets +-A INPUT -j LOG --log-prefix " IN: " +-A OUTPUT -j LOG --log-prefix " OUT: " + +COMMIT diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf index ecfc51d44..75c605f60 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf index 20666f701..97c5efac6 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcpd.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dhcp/dhcpd.conf @@ -4,22 +4,21 @@ ddns-update-style none; subnet 10.1.0.0 netmask 255.255.0.0 { option domain-name "strongswan.org"; - option domain-name-servers 10.1.0.20; - option netbios-name-servers 10.1.0.10; - option routers 10.1.0.1; + option domain-name-servers PH_IP_VENUS; + option netbios-name-servers PH_IP_ALICE; + option routers PH_IP_MOON1; option broadcast-address 10.1.255.255; - next-server 10.1.0.20; + next-server PH_IP_VENUS; range 10.1.0.50 10.1.0.60; } host carol { - hardware ethernet 7a:a7:8f:fc:db:3b; + hardware ethernet 7a:a7:51:cc:22:4a; fixed-address 10.1.0.30; } host dave { - hardware ethernet 7a:a7:35:78:bc:85; + hardware ethernet 7a:a7:93:70:2b:21; fixed-address 10.1.0.40; } - diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf index e3729081f..ed28c69ac 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/dnsmasq.conf @@ -1,9 +1,9 @@ interface=eth0 dhcp-range=10.1.0.50,10.1.0.60,255.255.0.0,10.1.255.255 -dhcp-host=7a:a7:8f:fc:db:3b,10.1.0.30 -dhcp-host=7a:a7:35:78:bc:85,10.1.0.40 -dhcp-option=option:router,10.1.0.1 -dhcp-option=option:dns-server,10.1.0.20 -dhcp-option=option:netbios-ns,10.1.0.10 +dhcp-host=7a:a7:51:cc:22:4a,10.1.0.30 +dhcp-host=7a:a7:93:70:2b:21,10.1.0.40 +dhcp-option=option:router,PH_IP_MOON1 +dhcp-option=option:dns-server,PH_IP_VENUS +dhcp-option=option:netbios-ns,PH_IP_ALICE dhcp-option=option:domain-name,strongswan.org log-dhcp diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd b/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd deleted file mode 100755 index 4044dcc35..000000000 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/venus/etc/init.d/dhcpd +++ /dev/null @@ -1,24 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop" - -depend() { - need net - need logger -} - -start() { - ebegin "Starting DHCP server" - start-stop-daemon --start --quiet --exec /usr/sbin/dhcpd - eend $? -} - -stop() { - ebegin "Stopping DHCP server" - start-stop-daemon --stop --quiet --pidfile /var/run/dhcpd.pid - rm -f /var/state/dhcp/dhcpd.leases - touch /var/state/dhcp/dhcpd.leases - eend $? -} diff --git a/testing/tests/ikev2/dhcp-static-mac/posttest.dat b/testing/tests/ikev2/dhcp-static-mac/posttest.dat index e1aadc618..7fff9981b 100644 --- a/testing/tests/ikev2/dhcp-static-mac/posttest.dat +++ b/testing/tests/ikev2/dhcp-static-mac/posttest.dat @@ -1,9 +1,9 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -venus::/etc/init.d/dhcpd stop 2> /dev/null -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/isc-dhcp-server stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush alice::arp -d 10.1.0.30 alice::arp -d 10.1.0.40 diff --git a/testing/tests/ikev2/dhcp-static-mac/pretest.dat b/testing/tests/ikev2/dhcp-static-mac/pretest.dat index bd36b4fe3..5670a2e89 100644 --- a/testing/tests/ikev2/dhcp-static-mac/pretest.dat +++ b/testing/tests/ikev2/dhcp-static-mac/pretest.dat @@ -1,12 +1,12 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -venus::cat /etc/dhcpd.conf -venus::/etc/init.d/dhcpd start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +venus::cat /etc/dhcp/dhcpd.conf +venus::/etc/init.d/isc-dhcp-server start 2> /dev/null carol::ipsec start dave::ipsec start moon::ipsec start -carol::sleep 2 +carol::sleep 2 carol::ipsec up home dave::ipsec up home carol::sleep 1 diff --git a/testing/tests/ikev2/dhcp-static-mac/test.conf b/testing/tests/ikev2/dhcp-static-mac/test.conf index a2ad7b25f..fd8a59c90 100644 --- a/testing/tests/ikev2/dhcp-static-mac/test.conf +++ b/testing/tests/ikev2/dhcp-static-mac/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/double-nat-net/evaltest.dat b/testing/tests/ikev2/double-nat-net/evaltest.dat index aa69dabfa..52c561964 100644 --- a/testing/tests/ikev2/double-nat-net/evaltest.dat +++ b/testing/tests/ikev2/double-nat-net/evaltest.dat @@ -1,5 +1,7 @@ -alice::ipsec statusall::nat-t.*INSTALLED::YES -bob::ipsec statusall::nat-t.*INSTALLED::YES -alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES +bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ping -c 1 PH_IP_SUN1::64 bytes from PH_IP_SUN1: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf index c8aa460cf..38629d12a 100755..100644 --- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf index f0c5b6f15..1c4a80769 100755..100644 --- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat-net/posttest.dat b/testing/tests/ikev2/double-nat-net/posttest.dat index 484297418..63d4f98e7 100644 --- a/testing/tests/ikev2/double-nat-net/posttest.dat +++ b/testing/tests/ikev2/double-nat-net/posttest.dat @@ -1,7 +1,7 @@ bob::ipsec stop alice::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -bob::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F moon::conntrack -F diff --git a/testing/tests/ikev2/double-nat-net/pretest.dat b/testing/tests/ikev2/double-nat-net/pretest.dat index 41b69aed6..17a4fe5eb 100644 --- a/testing/tests/ikev2/double-nat-net/pretest.dat +++ b/testing/tests/ikev2/double-nat-net/pretest.dat @@ -1,8 +1,5 @@ -alice::/etc/init.d/iptables start 2> /dev/null -bob::/etc/init.d/iptables start 2> /dev/null -bob::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +bob::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 diff --git a/testing/tests/ikev2/double-nat-net/test.conf b/testing/tests/ikev2/double-nat-net/test.conf index 1ca2ffe5a..d2e31d257 100644 --- a/testing/tests/ikev2/double-nat-net/test.conf +++ b/testing/tests/ikev2/double-nat-net/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice bob" diff --git a/testing/tests/ikev2/double-nat/evaltest.dat b/testing/tests/ikev2/double-nat/evaltest.dat index 77deea2a7..9ddad2de5 100644 --- a/testing/tests/ikev2/double-nat/evaltest.dat +++ b/testing/tests/ikev2/double-nat/evaltest.dat @@ -1,5 +1,7 @@ -alice::ipsec statusall::nat-t.*INSTALLED::YES -bob::ipsec statusall::nat-t.*INSTALLED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*bob@strongswan.org::YES +bob:: ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*bob@strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +bob:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf index 26830f390..fe5b5f299 100755..100644 --- a/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf index b4a24cb1f..1004ee971 100755..100644 --- a/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/posttest.dat b/testing/tests/ikev2/double-nat/posttest.dat index 5d39e406d..aa806bfc9 100644 --- a/testing/tests/ikev2/double-nat/posttest.dat +++ b/testing/tests/ikev2/double-nat/posttest.dat @@ -1,7 +1,7 @@ bob::ipsec stop alice::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -bob::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +bob::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F sun::iptables -t nat -F moon::conntrack -F diff --git a/testing/tests/ikev2/double-nat/pretest.dat b/testing/tests/ikev2/double-nat/pretest.dat index 10ba6d735..65f18b756 100644 --- a/testing/tests/ikev2/double-nat/pretest.dat +++ b/testing/tests/ikev2/double-nat/pretest.dat @@ -1,7 +1,5 @@ -alice::/etc/init.d/iptables start 2> /dev/null -bob::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +bob::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 diff --git a/testing/tests/ikev2/double-nat/test.conf b/testing/tests/ikev2/double-nat/test.conf index 1ca2ffe5a..d2e31d257 100644 --- a/testing/tests/ikev2/double-nat/test.conf +++ b/testing/tests/ikev2/double-nat/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice bob" diff --git a/testing/tests/ikev2/dpd-clear/evaltest.dat b/testing/tests/ikev2/dpd-clear/evaltest.dat index 86c0227bd..c1a271903 100644 --- a/testing/tests/ikev2/dpd-clear/evaltest.dat +++ b/testing/tests/ikev2/dpd-clear/evaltest.dat @@ -1,6 +1,8 @@ -carol::ipsec statusall::home.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::sleep 180::no output expected::NO -moon::cat /var/log/daemon.log::sending DPD request::YES -moon::cat /var/log/daemon.log::retransmit.*of request::YES -moon::cat /var/log/daemon.log::giving up after 5 retransmits::YES +moon:: sleep 180::no output expected::NO +moon:: cat /var/log/daemon.log::sending DPD request::YES +moon:: cat /var/log/daemon.log::retransmit.*of request::YES +moon:: cat /var/log/daemon.log::giving up after 5 retransmits::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf index bcdb8641b..e72f78742 100755..100644 --- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf index cdb40d72d..75b377f5f 100755..100644 --- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-clear/test.conf b/testing/tests/ikev2/dpd-clear/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/dpd-clear/test.conf +++ b/testing/tests/ikev2/dpd-clear/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/dpd-hold/evaltest.dat b/testing/tests/ikev2/dpd-hold/evaltest.dat index 2cf063762..4c035a6e9 100644 --- a/testing/tests/ikev2/dpd-hold/evaltest.dat +++ b/testing/tests/ikev2/dpd-hold/evaltest.dat @@ -1,14 +1,14 @@ -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*INSTALLED::YES -moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO carol::sleep 180::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::ping -c 1 PH_IP_ALICE::trigger route::NO carol::sleep 2::no output expected::NO -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf index bfc8ac34c..aa1a05169 100755..100644 --- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf index cdb40d72d..75b377f5f 100755..100644 --- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-hold/test.conf b/testing/tests/ikev2/dpd-hold/test.conf index 5442565f8..f8b62b953 100644 --- a/testing/tests/ikev2/dpd-hold/test.conf +++ b/testing/tests/ikev2/dpd-hold/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/dpd-restart/evaltest.dat b/testing/tests/ikev2/dpd-restart/evaltest.dat index 28edd4823..962bd0636 100644 --- a/testing/tests/ikev2/dpd-restart/evaltest.dat +++ b/testing/tests/ikev2/dpd-restart/evaltest.dat @@ -1,13 +1,13 @@ -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*INSTALLED::YES -moon::iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +moon:: iptables -A INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO carol::sleep 180::no output expected::NO carol::cat /var/log/daemon.log::sending DPD request::YES carol::cat /var/log/daemon.log::retransmit.*of request::YES carol::cat /var/log/daemon.log::giving up after 5 retransmits::YES carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO +moon:: iptables -D INPUT -i eth0 -s PH_IP_CAROL -j DROP::no output expected::NO carol::sleep 10::no output expected::NO -carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf index 631eac9b6..dfc77a43a 100755..100644 --- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf index cdb40d72d..75b377f5f 100755..100644 --- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-restart/test.conf b/testing/tests/ikev2/dpd-restart/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/dpd-restart/test.conf +++ b/testing/tests/ikev2/dpd-restart/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/dynamic-initiator/description.txt b/testing/tests/ikev2/dynamic-initiator/description.txt new file mode 100644 index 000000000..e74ee1569 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/description.txt @@ -0,0 +1,12 @@ +The peers <b>carol</b> and <b>moon</b> both have dynamic IP addresses, so that the remote end +is defined symbolically by <b>right=<hostname></b>. The ipsec starter resolves the +fully-qualified hostname into the current IP address via a DNS lookup (simulated by an +/etc/hosts entry). Since the peer IP addresses are expected to change over time, the option +<b>rightallowany=yes</b> will allow an IKE_SA rekeying to arrive from an arbitrary +IP address under the condition that the peer identity remains unchanged. When this happens +the old tunnel is replaced by an IPsec connection to the new origin. +<p> +In this scenario <b>carol</b> first initiates a tunnel to <b>moon</b>. After some time <b>carol</b> +suddenly changes her IP address and restarts the connection to <b>moon</b> without deleting the +old tunnel first (simulated by iptables blocking IKE packets to and from +<b>carol</b> and starting the connection from host <b>dave</b> using <b>carol</b>'s identity). diff --git a/testing/tests/ikev2/dynamic-initiator/evaltest.dat b/testing/tests/ikev2/dynamic-initiator/evaltest.dat new file mode 100644 index 000000000..3db70be71 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/evaltest.dat @@ -0,0 +1,10 @@ +carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/auth.log::IKE_SA carol\[1] established.*PH_IP_CAROL::YES +moon:: cat /var/log/daemon.log::destroying duplicate IKE_SA for.*carol@strongswan.org.*received INITIAL_CONTACT::YES +moon:: cat /var/log/auth.log::IKE_SA carol\[2] established.*PH_IP_DAVE::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..6fca045f6 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn moon + left=%any + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=%moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..6fca045f6 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn moon + left=%any + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=%moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..6c41df9c7 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBHTANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA5MDgyNzEwNDQ1MVoXDTE0MDgyNjEwNDQ1MVowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBANBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx +6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZ +Gamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95V +Wu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12G +I72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOov +x55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVECAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBQfoamI2WSMtaCiVGQ5 +tPI9dF1ufDBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC8pqX3KrSzKeul +GdzydAV4hGwYB3WiB02oJ2nh5MJBu7J0Kn4IVkvLUHSSZhSRxx55tQZfdYqtXVS7 +ZuyG+6rV7sb595SIRwfkLAdjbvv0yZIl4xx8j50K3yMR+9aXW1NSGPEkb8BjBUMr +F2kjGTOqomo8OIzyI369z9kJrtEhnS37nHcdpewZC1wHcWfJ6wd9wxmz2dVXmgVQ +L2BjXd/BcpLFaIC4h7jMXQ5FURjnU7K9xSa4T8PpR6FrQhOcIYBXAp94GiM8JqmK +ZBGUpeP+3cy4i3DV18Kyr64Q4XZlzhZClNE43sgMqiX88dc3znpDzT7T51j+d+9k +Rf5Z0GOR +-----END CERTIFICATE----- diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..41a139954 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,01290773006220E4E96C2975C52D2429 + +mSt4HT52dsYkDwk6DVYm+Uij1PnFAnYzJD7Jx6EJIA9HuWKfyHPSjtqEcCwZoKHq +i18EuCZHkdMBc8+lY0iEpNwbs3UbCP73lGn+IIjlOrS0xi4PP9iV1jxg/k+WF4rH +jhIUhi3wc1cAaFLLj8bBvnx6t4mF3nTZZ119wSsa5ewy5RZGWcdN8NKtyNgFYTFx +m5ACRErFuq8aFmcKVgwzLZH+e9fd7xKHS7XoP9vla7+iKkW5bzfkGP5E8irbOqce +pyUE81FrD8irD0uK4mnrMRDDGrD02mYNSMGyhT5o1RDQJbaRupih9nU+SaTR2Kxq +J/ScYak4EwmCIXixwuhwokDPTB1EuyQ1h5ywarkgt1TCZKoI2odqoILB2Dbrsmdf +dKLqI8Q/kR4h5meCc0e3401VXIaOJWk5GMbxz+6641uWnTdLKedzC5gWCI7QIDFB +h5n5m3tsSe6LRksqJpgPL/+vV/r+OrNEi4KGK9NxETZxeb/7gBSVFWbDXH5AO+wC +/RlPYHaoDt+peRm3LUDBGQBPtvZUDiDHlW4v8wtgCEZXAPZPdaFRUSDYMYdbbebY +EsxWa6G00Gau08EOPSgFIReGuACRkP4diiSE4ZTiC9HD2cuUN/D01ck+SD6UgdHV +pyf6tHej/AdVG3HD5dRCmCCyfucW0gS7R+/+C4DzVHwZKAXJRSxmXLOHT0Gk8Woe +sM8gbHOoV8OfLAfZDwibvnDq7rc82q5sSiGOKH7Fg5LYIjRB0UazCToxGVtxfWMz +kPrzZiQT45QDa3gQdkHzF21s+fNpx/cZ1V1Mv+1E3KAX9XsAm/sNl0NAZ6G0AbFk +gHIWoseiKxouTCDGNe/gC40r9XNhZdFCEzzJ9A77eScu0aTa5FHrC2w9YO2wHcja +OT2AyZrVqOWB1/hIwAqk8ApXA3FwJbnQE0FxyLcYiTvCNM+XYIPLstD09axLFb53 +D4DXEncmvW4+axDg8G3s84olPGLgJL3E8pTFPYWHKsJgqsloAc/GD2Qx0PCinySM +bVQckgzpVL3SvxeRRfx8SHl9F9z+GS4gZtM/gT9cDgcVOpVQpOcln5AR/mF/aoyo +BW96LSmEk5l4yeBBba63Qcz1HRr2NSvXJuqdjw6qTZNBWtjmSxHywKZYRlSqzNZx +7B6DGHTIOfGNhcy2wsd4cuftVYByGxfFjw7bHIDa4/ySdDykL7J+REfg8QidlCJB +UN/2VjaNipQo38RczWLUfloMkMMrWYpXOm9koes+Vldm7Bco+eCONIS50DJDOhZs +H037A+UMElXmtCrHPJGxQf8k1Qirn6BWOuRmXg8sXqeblIrPlZU+DghYXzA/nRxB +y+nUx+Ipbj022uJNVtFwhP70TIqYm/O6Ol/zRbo6yRsR6uEnnb4wRi5IxHnM/iGA +zWPzLRDSeVPkhu2pZ7JygabCiXbbgFTN1enJvLWvIAcB0LS8wQz0yKQ7oj32T0Ty +AD3c/qS8kmsrZDe3H+lEfMCcJRnHUrR/SBChSdx7LF9mnLlWuJLLHmrz87x7Z2o6 +nuRU15U5aQTniVikvFWchnwGy+23lgv5He9X99jxEu/U1pA4egejfMs3g070AY3J +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..6a2aea811 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..2e5f01a06 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn carol + left=%any + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%carol.strongswan.org + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + auto=add diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/dynamic-initiator/posttest.dat b/testing/tests/ikev2/dynamic-initiator/posttest.dat new file mode 100644 index 000000000..83063a23f --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/posttest.dat @@ -0,0 +1,9 @@ +dave::ipsec stop +carol::ipsec stop +dave::sleep 1 +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +dave::rm /etc/ipsec.d/certs/* +dave::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/dynamic-initiator/pretest.dat b/testing/tests/ikev2/dynamic-initiator/pretest.dat new file mode 100644 index 000000000..3e1cfce77 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up moon +carol::sleep 1 +carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT +carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +dave::ipsec up moon +dave::sleep 2 diff --git a/testing/tests/ikev2/dynamic-initiator/test.conf b/testing/tests/ikev2/dynamic-initiator/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/dynamic-initiator/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/dynamic-two-peers/description.txt b/testing/tests/ikev2/dynamic-two-peers/description.txt new file mode 100644 index 000000000..a1616011e --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/description.txt @@ -0,0 +1,14 @@ +The peers <b>carol</b>, <b>dave</b>, and <b>moon</b> all have dynamic IP addresses, +so that the remote end is defined symbolically by <b>right=%<hostname></b>. +The ipsec starter resolves the fully-qualified hostname into the current IP address +via a DNS lookup (simulated by an /etc/hosts entry). Since the peer IP addresses are +expected to change over time, the prefix '%' is used as an implicit alternative to the +explicit <b>rightallowany=yes</b> option which will allow an IKE_SA rekeying to arrive +from an arbitrary IP address under the condition that the peer identity remains unchanged. +When this happens the old tunnel is replaced by an IPsec connection to the new origin. +<p> +In this scenario both <b>carol</b> and <b>dave</b> initiate a tunnel to +<b>moon</b> which has a named connection definition for each peer. Although +the IP addresses of both <b>carol</b> and <b>dave</b> are stale, thanks to +the '%' prefix <b>moon</b> will accept the IKE negotiations from the actual IP addresses. + diff --git a/testing/tests/ikev2/dynamic-two-peers/evaltest.dat b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat new file mode 100644 index 000000000..82d2e7318 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/evaltest.dat @@ -0,0 +1,14 @@ +carol::ipsec status 2> /dev/null::moon.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::moon.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::moon.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::dave.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..6fca045f6 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn moon + left=%any + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=%moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..6493ce0b1 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn moon + left=%any + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=%moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale new file mode 100644 index 000000000..ebff4ec25 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/hosts.stale @@ -0,0 +1,67 @@ +# /etc/hosts: This file describes a number of hostname-to-address +# mappings for the TCP/IP subsystem. It is mostly +# used at boot time, when no name servers are running. +# On small systems, this file can be used instead of a +# "named" name server. Just add the names, addresses +# and any aliases to this file... +# + +127.0.0.1 localhost + +192.168.0.254 uml0.strongswan.org uml0 +10.1.0.254 uml1.strongswan.org uml1 +10.2.0.254 uml1.strongswan.org uml2 + +10.1.0.10 alice.strongswan.org alice +10.1.0.20 venus.strongswan.org venus +10.1.0.1 moon1.strongswan.org moon1 +192.168.0.1 moon.strongswan.org moon +192.168.0.110 carol.strongswan.org carol +10.3.0.1 carol1.strongswan.org carol1 +192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org +192.168.0.220 dave.strongswan.org dave +10.3.0.2 dave1.strongswan.org dave1 +192.168.0.2 sun.strongswan.org sun +10.2.0.1 sun1.strongswan.org sun1 +10.2.0.10 bob.strongswan.org bob + +# IPv6 versions of localhost and co +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts + +# IPv6 solicited-node multicast addresses +ff02::1:ff00:1 ip6-mcast-1 +ff02::1:ff00:2 ip6-mcast-2 +ff02::1:ff00:10 ip6-mcast-10 +ff02::1:ff00:15 ip6-mcast-15 +ff02::1:ff00:20 ip6-mcast-20 + +# IPv6 site-local addresses +fec1::10 ip6-alice.strongswan.org ip6-alice +fec1::20 ip6-venus.strongswan.org ip6-venus +fec1::1 ip6-moon1.strongswan.org ip6-moon1 +fec0::1 ip6-moon.strongswan.org ip6-moon +fec0::10 ip6-carol.strongswan.org ip6-carol +fec3::1 ip6-carol1.strongswan.org ip6-carol1 +fec0::15 ip6-winnetou.strongswan.org ip6-winnetou +fec0::20 ip6-dave.strongswan.org ip6-dave +fec3::2 ip6-dave1.strongswan.org ip6-dave1 +fec0::2 ip6-sun.strongswan.org ip6-sun +fec2::1 ip6-sun1.strongswan.org ip6-sun1 +fec2::10 ip6-bob.strongswan.org ip6-bob + +# IPv6 link-local HW derived addresses +fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus +fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice +fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1 +fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon +fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol +fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou +fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave +fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun +fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1 +fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..d510e2e0c --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + left=%any + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn carol + right=%carol.strongswan.org + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + auto=add + +conn dave + right=%dave.strongswan.org + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 + auto=add diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bad10ca43 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/dynamic-two-peers/posttest.dat b/testing/tests/ikev2/dynamic-two-peers/posttest.dat new file mode 100644 index 000000000..7b2609846 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/posttest.dat @@ -0,0 +1,8 @@ +carol::ipsec stop +dave::ipsec stop +moon::sleep 1 +moon::ipsec stop +moon::mv /etc/hosts.ori /etc/hosts +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/dynamic-two-peers/pretest.dat b/testing/tests/ikev2/dynamic-two-peers/pretest.dat new file mode 100644 index 000000000..4bb2a4686 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/pretest.dat @@ -0,0 +1,12 @@ +moon::mv /etc/hosts /etc/hosts.ori +moon::mv /etc/hosts.stale /etc/hosts +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up moon +dave::ipsec up moon +carol::sleep 1 diff --git a/testing/tests/ikev2/dynamic-two-peers/test.conf b/testing/tests/ikev2/dynamic-two-peers/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/dynamic-two-peers/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat index 9377d9fd2..d5d3bc0d3 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat @@ -1,9 +1,11 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::NULL_AES_GMAC_256::YES -carol::ipsec statusall::NULL_AES_GMAC_256::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES +carol::ipsec statusall 2> /dev/null::NULL_AES_GMAC_256::YES carol::ip xfrm state::aead rfc4543(gcm(aes))::YES -moon::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon:: ip xfrm state::aead rfc4543(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf index f3a266c7d..8f5b77cac 100755..100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf index bbdb38301..d41ba72e8 100755..100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gmac/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat index f360351e1..4fc25772b 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gmac/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/test.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat index d65d71240..366539936 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-md5-128/evaltest.dat @@ -1,9 +1,11 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES -carol::ipsec statusall::3DES_CBC/HMAC_MD5_128::YES -moon::ip xfrm state::auth hmac(md5)::YES -carol::ip xfrm state::auth hmac(md5)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES +carol::ipsec statusall 2> /dev/null::3DES_CBC/HMAC_MD5_128::YES +moon:: ip xfrm state::auth-trunc hmac(md5)::YES +carol::ip xfrm state::auth-trunc hmac(md5)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf index 09797799f..a85034243 100755..100644 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf index ae83aaf58..13908da14 100755..100644 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/posttest.dat +++ b/testing/tests/ikev2/esp-alg-md5-128/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat index 3c3df0196..886fdf55c 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/pretest.dat +++ b/testing/tests/ikev2/esp-alg-md5-128/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-md5-128/test.conf b/testing/tests/ikev2/esp-alg-md5-128/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/esp-alg-md5-128/test.conf +++ b/testing/tests/ikev2/esp-alg-md5-128/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat index bebca1f61..1b9c6c27e 100644 --- a/testing/tests/ikev2/esp-alg-null/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat @@ -1,9 +1,11 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::NULL/HMAC_SHA1_96::YES -carol::ipsec statusall::NULL/HMAC_SHA1_96::YES -moon::ip xfrm state::enc ecb(cipher_null)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES +carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES +moon:: ip xfrm state::enc ecb(cipher_null)::YES carol::ip xfrm state::enc ecb(cipher_null)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf index 5640d74fc..1d8509115 100755..100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf index 91f4a7c7f..38f8bd619 100755..100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-null/posttest.dat b/testing/tests/ikev2/esp-alg-null/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/esp-alg-null/posttest.dat +++ b/testing/tests/ikev2/esp-alg-null/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-null/pretest.dat b/testing/tests/ikev2/esp-alg-null/pretest.dat index 3c3df0196..886fdf55c 100644 --- a/testing/tests/ikev2/esp-alg-null/pretest.dat +++ b/testing/tests/ikev2/esp-alg-null/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-null/test.conf b/testing/tests/ikev2/esp-alg-null/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/esp-alg-null/test.conf +++ b/testing/tests/ikev2/esp-alg-null/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat index b0277271d..00c353686 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-sha1-160/evaltest.dat @@ -1,9 +1,11 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES -carol::ipsec statusall::AES_CBC_128/HMAC_SHA1_160::YES -moon::ip xfrm state::auth hmac(sha1)::YES -carol::ip xfrm state::auth hmac(sha1)::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES +carol::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_160::YES +moon:: ip xfrm state::auth-trunc hmac(sha1)::YES +carol::ip xfrm state::auth-trunc hmac(sha1)::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 204::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 204::YES diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf index 3991d517d..52629873e 100755..100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf index 893419585..d4cc3fbaf 100755..100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat +++ b/testing/tests/ikev2/esp-alg-sha1-160/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat index 3c3df0196..886fdf55c 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat +++ b/testing/tests/ikev2/esp-alg-sha1-160/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/esp-alg-sha1-160/test.conf b/testing/tests/ikev2/esp-alg-sha1-160/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/esp-alg-sha1-160/test.conf +++ b/testing/tests/ikev2/esp-alg-sha1-160/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/farp/evaltest.dat b/testing/tests/ikev2/farp/evaltest.dat index d48812f47..891ec20d5 100644 --- a/testing/tests/ikev2/farp/evaltest.dat +++ b/testing/tests/ikev2/farp/evaltest.dat @@ -1,21 +1,25 @@ -carol::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_seq=1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ipsec status::home.*INSTALLED::YES -alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ipsec status::rw-carol.*INSTALLED::YES -moon::ipsec status::rw-dave.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.30::64 bytes from 10.1.0.30: icmp_req=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.1.0.40::64 bytes from 10.1.0.40: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::arp reply carol2.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply carol2.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo request::YES alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP carol2.strongswan.org > alice.strongswan.org: ICMP echo request::YES alice::tcpdump::IP alice.strongswan.org > carol2.strongswan.org: ICMP echo reply::YES -alice::tcpdump::arp reply dave2.strongswan.org is-at fe:fd:0a:01:00:01::YES +alice::tcpdump::ARP, Reply dave2.strongswan.org is-at 52:54:00:43:e3:35::YES alice::tcpdump::IP alice.strongswan.org > dave2.strongswan.org: ICMP echo request::YES alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo reply::YES alice::tcpdump::IP dave2.strongswan.org > alice.strongswan.org: ICMP echo request::YES diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/farp/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/farp/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf index 19dd5d3e6..25ec162fe 100755..100644 --- a/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/farp/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf index 379edeefc..56eaebfc0 100644 --- a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev2/farp/posttest.dat b/testing/tests/ikev2/farp/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/farp/posttest.dat +++ b/testing/tests/ikev2/farp/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/farp/pretest.dat b/testing/tests/ikev2/farp/pretest.dat index 709931e1b..f0254da6c 100644 --- a/testing/tests/ikev2/farp/pretest.dat +++ b/testing/tests/ikev2/farp/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules alice::arp -d 10.1.0.30 alice::arp -d 10.1.0.40 carol::ipsec start diff --git a/testing/tests/ikev2/farp/test.conf b/testing/tests/ikev2/farp/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/farp/test.conf +++ b/testing/tests/ikev2/farp/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/force-udp-encaps/evaltest.dat b/testing/tests/ikev2/force-udp-encaps/evaltest.dat index 35f01d491..36af646d2 100644 --- a/testing/tests/ikev2/force-udp-encaps/evaltest.dat +++ b/testing/tests/ikev2/force-udp-encaps/evaltest.dat @@ -1,6 +1,8 @@ +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat.t.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL::YES alice::cat /var/log/daemon.log::faking NAT situation to enforce UDP encapsulation::YES -alice::ipsec statusall::nat-t.*INSTALLED::YES -sun::ipsec statusall::nat-t.*INSTALLED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > alice.strongswan.org.*: UDP::YES +alice:: ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::tcpdump::IP alice.strongswan.org.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > alice.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf index 2074646cc..3e10155a3 100755..100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables deleted file mode 100755 index 5bb63f5ac..000000000 --- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/init.d/iptables +++ /dev/null @@ -1,76 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow IKE - iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT - - # allow NAT-T - iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf index a2c168601..3f00d6e1a 100755..100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/force-udp-encaps/posttest.dat b/testing/tests/ikev2/force-udp-encaps/posttest.dat index 979f2fcd0..03edb42cb 100644 --- a/testing/tests/ikev2/force-udp-encaps/posttest.dat +++ b/testing/tests/ikev2/force-udp-encaps/posttest.dat @@ -1,6 +1,6 @@ alice::ipsec stop sun::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush sun::ip route del 10.1.0.0/16 via PH_IP_MOON winnetou::ip route del 10.1.0.0/16 via PH_IP_MOON diff --git a/testing/tests/ikev2/force-udp-encaps/pretest.dat b/testing/tests/ikev2/force-udp-encaps/pretest.dat index 6f00cd387..7be66867a 100644 --- a/testing/tests/ikev2/force-udp-encaps/pretest.dat +++ b/testing/tests/ikev2/force-udp-encaps/pretest.dat @@ -1,8 +1,7 @@ -alice::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +alice::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON winnetou::ip route add 10.1.0.0/16 via PH_IP_MOON -moon::echo 1 > /proc/sys/net/ipv4/ip_forward alice::ipsec start sun::ipsec start alice::sleep 4 diff --git a/testing/tests/ikev2/force-udp-encaps/test.conf b/testing/tests/ikev2/force-udp-encaps/test.conf index d84149aaf..42fa97190 100644 --- a/testing/tests/ikev2/force-udp-encaps/test.conf +++ b/testing/tests/ikev2/force-udp-encaps/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev2/host2host-cert/evaltest.dat b/testing/tests/ikev2/host2host-cert/evaltest.dat index 8d5d8167a..3305f4558 100644 --- a/testing/tests/ikev2/host2host-cert/evaltest.dat +++ b/testing/tests/ikev2/host2host-cert/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec statusall::host-host.*ESTABLISHED::YES -sun::ipsec statusall::host-host.*ESTABLISHED::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf index ec9ac5b80..1f4843f7d 100755..100644 --- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf index 484eb995f..2b2b26097 100755..100644 --- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-cert/posttest.dat b/testing/tests/ikev2/host2host-cert/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev2/host2host-cert/posttest.dat +++ b/testing/tests/ikev2/host2host-cert/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-cert/pretest.dat b/testing/tests/ikev2/host2host-cert/pretest.dat index 1fa70177c..3bce9f6e5 100644 --- a/testing/tests/ikev2/host2host-cert/pretest.dat +++ b/testing/tests/ikev2/host2host-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/host2host-cert/test.conf b/testing/tests/ikev2/host2host-cert/test.conf index 305a67316..55d6e9fd6 100644 --- a/testing/tests/ikev2/host2host-cert/test.conf +++ b/testing/tests/ikev2/host2host-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon winnetou sun" +VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/host2host-swapped/evaltest.dat b/testing/tests/ikev2/host2host-swapped/evaltest.dat index 8d5d8167a..3305f4558 100644 --- a/testing/tests/ikev2/host2host-swapped/evaltest.dat +++ b/testing/tests/ikev2/host2host-swapped/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec statusall::host-host.*ESTABLISHED::YES -sun::ipsec statusall::host-host.*ESTABLISHED::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf index 981c7f073..d8ef0c7be 100755..100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf index e3fc2b728..517bb3d41 100755..100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-swapped/posttest.dat b/testing/tests/ikev2/host2host-swapped/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev2/host2host-swapped/posttest.dat +++ b/testing/tests/ikev2/host2host-swapped/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-swapped/pretest.dat b/testing/tests/ikev2/host2host-swapped/pretest.dat index 1fa70177c..3bce9f6e5 100644 --- a/testing/tests/ikev2/host2host-swapped/pretest.dat +++ b/testing/tests/ikev2/host2host-swapped/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/host2host-swapped/test.conf b/testing/tests/ikev2/host2host-swapped/test.conf index 305a67316..55d6e9fd6 100644 --- a/testing/tests/ikev2/host2host-swapped/test.conf +++ b/testing/tests/ikev2/host2host-swapped/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon winnetou sun" +VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat index b3cade48c..fc49e57d8 100644 --- a/testing/tests/ikev2/host2host-transport/evaltest.dat +++ b/testing/tests/ikev2/host2host-transport/evaltest.dat @@ -1,8 +1,7 @@ -moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES -moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES -sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES -moon::ip xfrm state::mode transport::YES -sun::ip xfrm state::mode transport::YES -moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf index 7f6c5a58a..de273e53a 100755..100644 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf index af52fb22b..e96c1ca2e 100755..100644 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/host2host-transport/posttest.dat b/testing/tests/ikev2/host2host-transport/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev2/host2host-transport/posttest.dat +++ b/testing/tests/ikev2/host2host-transport/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-transport/pretest.dat b/testing/tests/ikev2/host2host-transport/pretest.dat index e2d98f2eb..99789b90f 100644 --- a/testing/tests/ikev2/host2host-transport/pretest.dat +++ b/testing/tests/ikev2/host2host-transport/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 2 diff --git a/testing/tests/ikev2/host2host-transport/test.conf b/testing/tests/ikev2/host2host-transport/test.conf index cf2e704fd..5a286c84f 100644 --- a/testing/tests/ikev2/host2host-transport/test.conf +++ b/testing/tests/ikev2/host2host-transport/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon winnetou sun" +VIRTHOSTS="moon winnetou sun" # Corresponding block diagram # DIAGRAM="m-w-s.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/inactivity-timeout/evaltest.dat b/testing/tests/ikev2/inactivity-timeout/evaltest.dat index a8975481f..221c59318 100644 --- a/testing/tests/ikev2/inactivity-timeout/evaltest.dat +++ b/testing/tests/ikev2/inactivity-timeout/evaltest.dat @@ -1,8 +1,8 @@ -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*INSTALLED::YES -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES carol::sleep 15::NO carol::cat /var/log/daemon.log::deleting CHILD_SA after 10 seconds of inactivity::YES -moon::ipsec statusall::rw.*INSTALLED::NO -carol::ipsec statusall::home.*INSTALLED::NO -carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::NO +moon:: ipsec status 2> /dev/null::rw.*INSTALLED::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED::NO +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf index 5fbb99617..a7a53a4b7 100755..100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf index c3d417302..efc5b6cbd 100755..100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/inactivity-timeout/posttest.dat b/testing/tests/ikev2/inactivity-timeout/posttest.dat index 94a400606..6ca9c5b35 100644 --- a/testing/tests/ikev2/inactivity-timeout/posttest.dat +++ b/testing/tests/ikev2/inactivity-timeout/posttest.dat @@ -1,4 +1,3 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/inactivity-timeout/pretest.dat b/testing/tests/ikev2/inactivity-timeout/pretest.dat index 3c3df0196..b949aaeaf 100644 --- a/testing/tests/ikev2/inactivity-timeout/pretest.dat +++ b/testing/tests/ikev2/inactivity-timeout/pretest.dat @@ -1,7 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start -carol::sleep 1 +carol::sleep 1 carol::ipsec up home carol::sleep 1 diff --git a/testing/tests/ikev2/inactivity-timeout/test.conf b/testing/tests/ikev2/inactivity-timeout/test.conf index acb73b06f..11423f723 100644 --- a/testing/tests/ikev2/inactivity-timeout/test.conf +++ b/testing/tests/ikev2/inactivity-timeout/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat index f9d0cbb37..42e353084 100644 --- a/testing/tests/ikev2/ip-pool-db/evaltest.dat +++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat @@ -4,26 +4,30 @@ carol::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES carol::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status::home.*INSTALLED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES -dave::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES -dave::cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*INSTALLED::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES -moon::cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES -moon::cat /var/log/daemon.log::assigning virtual IP::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_VENUS::YES +dave:: cat /var/log/daemon.log::handling INTERNAL_IP4_NBNS attribute failed::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::acquired new lease for address.*in pool.*bigpool::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES moon::ipsec pool --status 2> /dev/null::dns servers: PH_IP_WINNETOU PH_IP_VENUS::YES moon::ipsec pool --status 2> /dev/null::nbns servers: PH_IP_VENUS::YES moon::ipsec pool --status 2> /dev/null::bigpool.*10.3.0.1.*10.3.3.232.*static.*2::YES moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon::ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon::ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf index b3413830f..606b1500a 100755..100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf index e907021ce..04ffaf64d 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown } libhydra { diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat index 5b88b2163..c99f347e3 100644 --- a/testing/tests/ikev2/ip-pool-db/posttest.dat +++ b/testing/tests/ikev2/ip-pool-db/posttest.dat @@ -1,9 +1,9 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush moon::ipsec pool --del bigpool 2> /dev/null moon::ipsec pool --del dns 2> /dev/null moon::ipsec pool --del nbns 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat index 4a2add194..fce551c69 100644 --- a/testing/tests/ikev2/ip-pool-db/pretest.dat +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -4,9 +4,9 @@ moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/ip-pool-db/test.conf +++ b/testing/tests/ikev2/ip-pool-db/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat index d02d422ab..44310cd16 100644 --- a/testing/tests/ikev2/ip-pool-wish/evaltest.dat +++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat @@ -1,18 +1,22 @@ carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status::home.*INSTALLED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*INSTALLED::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::cat /var/log/daemon.log::adding virtual IP address pool::YES -moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES -moon::cat /var/log/daemon.log::assigning virtual IP::YES -moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org.::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf index c9867c7d4..62c30cf28 100755..100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf index 98dd99271..fa99a4c86 100755..100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf index 0b4cded6c..85c48a7bb 100755..100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat index 1777f439f..b757d8b15 100644 --- a/testing/tests/ikev2/ip-pool-wish/posttest.dat +++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat @@ -1,6 +1,6 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat index 1f4ff286a..1466fd2f2 100644 --- a/testing/tests/ikev2/ip-pool-wish/pretest.dat +++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/ip-pool-wish/test.conf +++ b/testing/tests/ikev2/ip-pool-wish/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat index b130d4565..8ea7960b5 100644 --- a/testing/tests/ikev2/ip-pool/evaltest.dat +++ b/testing/tests/ikev2/ip-pool/evaltest.dat @@ -1,21 +1,25 @@ carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES -carol::ipsec status::home.*INSTALLED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES -dave::ipsec status::home.*INSTALLED::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::cat /var/log/daemon.log::adding virtual IP address pool::YES -moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES -moon::cat /var/log/daemon.log::assigning virtual IP::YES -moon::ipsec leases rw::2/15, 2 online::YES -moon::ipsec leases rw 10.3.0.1::carol@strongswan.org::YES -moon::ipsec leases rw 10.3.0.2::dave@strongswan.org::YES -moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon:: cat /var/log/daemon.log::assigning virtual IP::YES +moon:: ipsec leases 10.3.0.0/28 2> /dev/null::2/14, 2 online::YES +moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES +moon:: ipsec leases 10.3.0.0/28 PH_IP_DAVE1 2> /dev/null::dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::ESP +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::ESP moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf index 0b4cded6c..85c48a7bb 100755..100644 --- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat index 1777f439f..b757d8b15 100644 --- a/testing/tests/ikev2/ip-pool/posttest.dat +++ b/testing/tests/ikev2/ip-pool/posttest.dat @@ -1,6 +1,6 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat index 014e80517..3864bdac3 100644 --- a/testing/tests/ikev2/ip-pool/pretest.dat +++ b/testing/tests/ikev2/ip-pool/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/ip-pool/test.conf +++ b/testing/tests/ikev2/ip-pool/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat index 8fd47dc34..60a537b02 100644 --- a/testing/tests/ikev2/ip-split-pools-db/evaltest.dat +++ b/testing/tests/ikev2/ip-split-pools-db/evaltest.dat @@ -1,15 +1,19 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -carol::ipsec status::home.*INSTALLED::YES -dave::cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES -dave::ipsec status::home.*INSTALLED::YES -moon::cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES -moon::cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES -moon::cat /var/log/daemon.log::no available address found in pool.*pool0::YES -moon::cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES -moon::cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES -moon::ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES -moon::ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES -moon::ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon::ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES -moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.1.1::YES +moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.0.1 in pool.*pool0::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer::YES +moon:: cat /var/log/daemon.log::no available address found in pool.*pool0::YES +moon:: cat /var/log/daemon.log::acquired new lease for address 10.3.1.1 in pool.*pool1::YES +moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.1.1 to peer::YES +moon:: ipsec pool --status 2> /dev/null::pool0.*10.3.0.1.*10.3.0.1.*48h.*1 .*1 .*1 ::YES +moon:: ipsec pool --status 2> /dev/null::pool1.*10.3.1.1.*10.3.1.1.*48h.*1 .*1 .*1 ::YES +moon:: ipsec pool --leases --filter pool=pool0,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=pool1,addr=10.3.1.1,id=dave@strongswan.org 2> /dev/null::online::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf index c0f9756e4..136022d5c 100755..100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -19,5 +16,5 @@ conn rw leftid=@moon.strongswan.org leftfirewall=yes right=%any - rightsourceip=%pool0,pool1 + rightsourceip=%pool0,%pool1 auto=add diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf index e907021ce..04ffaf64d 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown } libhydra { diff --git a/testing/tests/ikev2/ip-split-pools-db/test.conf b/testing/tests/ikev2/ip-split-pools-db/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/ip-split-pools-db/test.conf +++ b/testing/tests/ikev2/ip-split-pools-db/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat index ba2b07a10..fdc3d4d3f 100644 --- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat @@ -1,29 +1,37 @@ -carol::ipsec status::home.*INSTALLED::YES -dave::ipsec status::home.*INSTALLED::YES -alice::ipsec status::home.*INSTALLED::YES -venus::ipsec status::home.*INSTALLED::YES -moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::ext.*ESTABLISHED.*dave@strongswan.org::YES -moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES -moon::ipsec status::int.*ESTABLISHED.*venus.strongswan.org::YES -moon::ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES -moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES -moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES -moon::ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES -moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES -moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES +venus::ipsec status 2> /dev/null::home.*ESTABLISHED.*venus.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::ext\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::ext\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::int\[3]: ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES +moon:: ipsec status 2> /dev/null::int\[4]: ESTABLISHED.*moon.strongswan.org.*venus.strongswan.org::YES +moon:: ipsec status 2> /dev/null::ext[{]1}.*INSTALLED. TUNNEL::YES +moon:: ipsec status 2> /dev/null::ext[{]2}.*INSTALLED. TUNNEL::YES +moon:: ipsec status 2> /dev/null::int[{]3}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::int[{]4}.*INSTALLED, TUNNEL::YES +moon:: ipsec pool --status 2> /dev/null::extpool.*10.3.0.1.*10.3.1.244.*48h.*2::YES +moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*2::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.1,id=carol@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=extpool,addr=10.3.0.2,id=dave@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.2,id=venus.strongswan.org 2> /dev/null::online::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES -dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +dave:: cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES -dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +dave:: cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES -alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES -dave::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES -alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES -dave::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES +alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES +dave:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES +alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES +dave:: ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_req=1::YES alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES alice::tcpdump::IP moon1.strongswan.org > alice.strongswan.org: ESP::YES dave::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 97b773645..000000000 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf index d925a2564..19cd1c8cd 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf index 2b673ec4d..c891c643c 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf index 22f9b6634..4066549e8 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables deleted file mode 100755 index bb9d03acd..000000000 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # masquerade crl fetches to winnetou - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf index a4c37e117..651642b04 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..a0ed9f0e6 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/iptables.rules @@ -0,0 +1,43 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT + +*nat + +# masquerade crl fetches to winnetou +-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + +COMMIT diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf index e44a3e251..2dc6a3a87 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables deleted file mode 100755 index 97b773645..000000000 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf index 2dbd84fe7..b8f01bd15 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf index cb5f6406b..bd19ffe3d 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat index 7b0393ebd..9c0bb5cae 100644 --- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat @@ -3,11 +3,11 @@ venus::ipsec stop carol::ipsec stop dave::ipsec stop moon::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush moon::ip route del 10.3.0.0/16 via PH_IP_MOON moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 moon::conntrack -F diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat index e4eb8b0b9..3aba87994 100644 --- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat @@ -8,11 +8,11 @@ moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/nu moon::ipsec pool --statusattr 2> /dev/null moon::ip route add 10.3.0.0/16 via PH_IP_MOON moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules alice::ipsec start venus::ipsec start carol::ipsec start diff --git a/testing/tests/ikev2/ip-two-pools-db/test.conf b/testing/tests/ikev2/ip-two-pools-db/test.conf index ea1307b16..c88e11d28 100644 --- a/testing/tests/ikev2/ip-two-pools-db/test.conf +++ b/testing/tests/ikev2/ip-two-pools-db/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="alice venus carol dave" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice venus moon carol dave" diff --git a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat index 1505de751..0d7a36452 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/evaltest.dat @@ -1,16 +1,20 @@ -carol::ipsec status::home.*INSTALLED::YES -alice::ipsec status::home.*INSTALLED::YES -moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES -moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES -moon::ipsec leases ext::1/15, 1 online::YES -moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES -moon::ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES -moon::ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES +moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES +moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES +moon:: ipsec leases 10.3.0.0/28 10.3.0.1 2> /dev/null::carol@strongswan.org::YES +moon:: ipsec pool --status 2> /dev/null::intpool.*10.4.0.1.*10.4.1.244.*static.*1::YES +moon:: ipsec pool --leases --filter pool=intpool,addr=10.4.0.1,id=alice@strongswan.org 2> /dev/null::online::YES carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 97b773645..000000000 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf index f5ce1687e..180226eaa 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf index e647f1e36..63509bc16 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables deleted file mode 100755 index bb9d03acd..000000000 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # masquerade crl fetches to winnetou - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf index d80bb5305..649d567c4 100755..100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..a0ed9f0e6 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/iptables.rules @@ -0,0 +1,43 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT + +*nat + +# masquerade crl fetches to winnetou +-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + +COMMIT diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf index e44a3e251..2dc6a3a87 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat index db5e6237f..a3924b2f6 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/posttest.dat @@ -1,9 +1,9 @@ carol::ipsec stop alice::ipsec stop moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -alice::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush moon::conntrack -F moon::ipsec pool --del intpool 2> /dev/null moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat index b579464f2..b74c1e07a 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-mixed/pretest.dat @@ -1,9 +1,9 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start alice::ipsec start diff --git a/testing/tests/ikev2/ip-two-pools-mixed/test.conf b/testing/tests/ikev2/ip-two-pools-mixed/test.conf index 329774c0a..1ed3473ab 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/test.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="alice carol" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice moon carol" diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt new file mode 100644 index 000000000..7e8e7a69b --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt @@ -0,0 +1,5 @@ +The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests +both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using +<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses +from persistent pools stored in an SQL database using the <b>rightsourceip</b> option. +The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel. diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat new file mode 100644 index 000000000..0bf3500b5 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES +carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d19399def --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config4,%config6 + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0,::/0 + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..04a74fd44 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16,fec1::0/16 + rightsourceip=%v4_pool,%v6_pool + right=%any + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..73b0cb7be --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql +} + +libhydra { + plugins { + attr-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat new file mode 100644 index 000000000..311e9f21d --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat @@ -0,0 +1,5 @@ +alice::ip -6 route del default via fec1:\:1 +carol::ipsec stop +moon::ipsec stop +moon::conntrack -F +moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat new file mode 100644 index 000000000..e3d8f4a78 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat @@ -0,0 +1,9 @@ +moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null +moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null +alice::ip -6 route add default via fec1:\:1 +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf new file mode 100644 index 000000000..cd03759f0 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt new file mode 100644 index 000000000..32dd88d51 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/description.txt @@ -0,0 +1,5 @@ +The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests +both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using +<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses +from two in-memory pools using the <b>rightsourceip</b> option. The established tunnel +carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel. diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat new file mode 100644 index 000000000..0bf3500b5 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES +carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d19399def --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config4,%config6 + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0,::/0 + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..0777f6db5 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16,fec1::0/16 + rightsourceip=10.3.0.0/28,fec3::/120 + right=%any + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat new file mode 100644 index 000000000..bb20cae05 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/posttest.dat @@ -0,0 +1,4 @@ +alice::ip -6 route del default via fec1:\:1 +carol::ipsec stop +moon::ipsec stop +moon::conntrack -F diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat new file mode 100644 index 000000000..04139badf --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/pretest.dat @@ -0,0 +1,5 @@ +alice::ip -6 route add default via fec1:\:1 +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf new file mode 100644 index 000000000..cd03759f0 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ip-two-pools/evaltest.dat b/testing/tests/ikev2/ip-two-pools/evaltest.dat index ac0a3eeb3..fad3781d7 100644 --- a/testing/tests/ikev2/ip-two-pools/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools/evaltest.dat @@ -1,17 +1,21 @@ -carol::ipsec status::home.*INSTALLED::YES -alice::ipsec status::home.*INSTALLED::YES -moon::ipsec status::ext.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::int.*ESTABLISHED.*alice@strongswan.org::YES -moon::cat /var/log/daemon.log::adding virtual IP address pool.*int.*10.4.0.0/28::YES -moon::cat /var/log/daemon.log::adding virtual IP address pool.*ext.*10.3.0.0/28::YES -moon::ipsec leases ext::1/15, 1 online::YES -moon::ipsec leases int::1/15, 1 online::YES -moon::ipsec leases ext 10.3.0.1::carol@strongswan.org::YES -moon::ipsec leases int 10.4.0.1::alice@strongswan.org::YES -carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +alice::ipsec status 2> /dev/null::home.*ESTABLISHED.*alice@strongswan.org.*moon.strongswan.org::YES +alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::ext.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::int.*ESTABLISHED.*moon.strongswan.org.*alice@strongswan.org::YES +moon:: ipsec status 2> /dev/null::ext.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::int.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.4.0.0/28::YES +moon:: cat /var/log/daemon.log::adding virtual IP address pool.*10.3.0.0/28::YES +moon:: ipsec leases 10.3.0.0/28 2> /dev/null::1/14, 1 online::YES +moon:: ipsec leases 10.4.0.0/28 2> /dev/null::1/14, 1 online::YES +moon:: ipsec leases 10.3.0.0/28 PH_IP_CAROL1 2> /dev/null::carol@strongswan.org::YES +moon:: ipsec leases 10.4.0.0/28 10.4.0.1 2> /dev/null::alice@strongswan.org::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES -carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES carol::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES carol::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES alice::tcpdump::IP alice.strongswan.org > moon1.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 97b773645..000000000 --- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,78 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf index f5ce1687e..180226eaa 100755..100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf index e647f1e36..63509bc16 100755..100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables deleted file mode 100755 index bb9d03acd..000000000 --- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,91 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # masquerade crl fetches to winnetou - iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf index 8435479fa..5773245d1 100755..100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..a0ed9f0e6 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/iptables.rules @@ -0,0 +1,43 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT +-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +COMMIT + +*nat + +# masquerade crl fetches to winnetou +-A POSTROUTING -o eth0 -s 10.1.0.0/16 -d PH_IP_WINNETOU -j MASQUERADE + +COMMIT diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools/posttest.dat b/testing/tests/ikev2/ip-two-pools/posttest.dat index f41bb0fbc..2fbc2c3a0 100644 --- a/testing/tests/ikev2/ip-two-pools/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools/posttest.dat @@ -1,8 +1,8 @@ alice::ipsec stop carol::ipsec stop moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -alice::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +alice::iptables-restore < /etc/iptables.flush moon::conntrack -F moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools/pretest.dat b/testing/tests/ikev2/ip-two-pools/pretest.dat index db422a105..4e8b639f4 100644 --- a/testing/tests/ikev2/ip-two-pools/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules carol::ipsec start moon::ipsec start alice::ipsec start diff --git a/testing/tests/ikev2/ip-two-pools/test.conf b/testing/tests/ikev2/ip-two-pools/test.conf index 329774c0a..1ed3473ab 100644 --- a/testing/tests/ikev2/ip-two-pools/test.conf +++ b/testing/tests/ikev2/ip-two-pools/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="alice carol" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice moon carol" diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat index f2758eb35..c71e3f7c1 100644 --- a/testing/tests/ikev2/mobike-nat/evaltest.dat +++ b/testing/tests/ikev2/mobike-nat/evaltest.dat @@ -1,15 +1,15 @@ -alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES -sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES -alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES -sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -alice::/etc/init.d/net.eth1 stop::No output expected::NO +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES +alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ifdown eth1::No output expected::NO alice::sleep 1::No output expected::NO -alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES -sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES -alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES -sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES +alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables deleted file mode 100755 index cf0d65c58..000000000 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,87 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow IPsec tunnel traffic - iptables -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT - iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf index ed670efb1..ffb7f563a 100755..100644 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -13,7 +10,7 @@ conn %default keyexchange=ikev2 conn mobike - left=PH_IP_ALICE1 + left=192.168.0.50 leftsourceip=%config leftcert=aliceCert.pem leftid=alice@strongswan.org diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..6dd261f20 --- /dev/null +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/iptables.rules @@ -0,0 +1,38 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IPsec tunnel traffic +-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables deleted file mode 100755 index 642c414d5..000000000 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow IPsec tunnel traffic - iptables -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT - iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT - - # allow NAT-T - iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf index ca4d84e16..e187f9569 100755..100644 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..0a7d1fa40 --- /dev/null +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IPsec tunnel traffic +-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-nat/posttest.dat b/testing/tests/ikev2/mobike-nat/posttest.dat index cd0d4df25..f4e5316c9 100644 --- a/testing/tests/ikev2/mobike-nat/posttest.dat +++ b/testing/tests/ikev2/mobike-nat/posttest.dat @@ -1,6 +1,6 @@ alice::ipsec stop sun::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush moon::iptables -t nat -F moon::conntrack -F diff --git a/testing/tests/ikev2/mobike-nat/pretest.dat b/testing/tests/ikev2/mobike-nat/pretest.dat index 08c2be95c..86ac6e7e0 100644 --- a/testing/tests/ikev2/mobike-nat/pretest.dat +++ b/testing/tests/ikev2/mobike-nat/pretest.dat @@ -1,12 +1,11 @@ -alice::/etc/init.d/net.eth1 start -alice::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +alice::ifup eth1 +alice::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::conntrack -F -moon::echo 1 > /proc/sys/net/ipv4/ip_forward moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::sleep 2 alice::ipsec up mobike alice::sleep 1 diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf index 24a0cf3a4..70c64c503 100644 --- a/testing/tests/ikev2/mobike-nat/test.conf +++ b/testing/tests/ikev2/mobike-nat/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="bob moon sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat index 94dea0b14..17593ef82 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat +++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat @@ -1,15 +1,15 @@ -alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES -sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES -alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES -sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -alice::/etc/init.d/net.eth1 stop::No output expected::NO +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES +alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ifdown eth1::No output expected::NO alice::sleep 1::No output expected::NO -alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES -sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES -alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES -sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES +alice::ipsec statusall 2> /dev/null::10.3.0.3/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 10.3.0.3/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables deleted file mode 100755 index cf0d65c58..000000000 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,87 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow IPsec tunnel traffic - iptables -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT - iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf index ed670efb1..ffb7f563a 100755..100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -13,7 +10,7 @@ conn %default keyexchange=ikev2 conn mobike - left=PH_IP_ALICE1 + left=192.168.0.50 leftsourceip=%config leftcert=aliceCert.pem leftid=alice@strongswan.org diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..a238c8d19 --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/iptables.rules @@ -0,0 +1,38 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IPsec tunnel traffic +-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables deleted file mode 100755 index 642c414d5..000000000 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow IPsec tunnel traffic - iptables -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT - iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT - - # allow NAT-T - iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf index 1c8be1db4..2b0c8aebd 100755..100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -17,7 +14,7 @@ conn mobike leftcert=sunCert.pem leftid=@sun.strongswan.org leftsubnet=10.2.0.0/16 - right=PH_IP_ALICE1 + right=192.168.0.50 rightsourceip=10.3.0.3 rightid=alice@strongswan.org auto=add diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..d86a461ac --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IPsec tunnel traffic +-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat index 32fdf0053..95c963091 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/posttest.dat +++ b/testing/tests/ikev2/mobike-virtual-ip/posttest.dat @@ -1,5 +1,5 @@ alice::ipsec stop sun::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush sun::ip route del 10.1.0.0/16 via PH_IP_MOON diff --git a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat index 6666e7794..067c1a1ec 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/mobike-virtual-ip/pretest.dat @@ -1,10 +1,9 @@ -alice::/etc/init.d/net.eth1 start -alice::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::ifup eth1 +alice::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::sleep 2 alice::ipsec up mobike alice::sleep 1 diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf index 24a0cf3a4..70c64c503 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/test.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="bob moon sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat index 6c49c0425..e3464040e 100644 --- a/testing/tests/ikev2/mobike/evaltest.dat +++ b/testing/tests/ikev2/mobike/evaltest.dat @@ -1,15 +1,15 @@ -alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE1.*PH_IP_SUN::YES -sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE1::YES -alice::ipsec statusall::PH_IP_ALICE1/32 === 10.2.0.0/16::YES -sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE1/32::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -alice::/etc/init.d/net.eth1 stop::No output expected::NO +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*192.168.0.50.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*192.168.0.50::YES +alice::ipsec statusall 2> /dev/null::192.168.0.50/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === 192.168.0.50/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ifdown eth1::No output expected::NO alice::sleep 1::No output expected::NO -alice::ipsec statusall::ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES -sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES -alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES -sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +alice::ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_ALICE.*PH_IP_SUN::YES +sun:: ipsec status 2> /dev/null::mobike.*ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES +alice::ipsec statusall 2> /dev/null::PH_IP_ALICE/32 === 10.2.0.0/16::YES +sun:: ipsec statusall 2> /dev/null::10.2.0.0/16 === PH_IP_ALICE/32::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables deleted file mode 100755 index cf0d65c58..000000000 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,87 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow IPsec tunnel traffic - iptables -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT - iptables -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf index 6c87468bb..95683fdc3 100755..100644 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -13,7 +10,7 @@ conn %default keyexchange=ikev2 conn mobike - left=PH_IP_ALICE1 + left=192.168.0.50 leftcert=aliceCert.pem leftid=alice@strongswan.org right=PH_IP_SUN diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..a238c8d19 --- /dev/null +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/iptables.rules @@ -0,0 +1,38 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IPsec tunnel traffic +-A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A INPUT -i eth1 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth1 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables b/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables deleted file mode 100755 index 6934b1948..000000000 --- a/testing/tests/ikev2/mobike/hosts/sun/etc/init.d/iptables +++ /dev/null @@ -1,90 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow IPsec tunnel traffic - iptables -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT - iptables -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A INPUT -i eth1 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf index 4806cd9c8..f7693106f 100755..100644 --- a/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -17,6 +14,6 @@ conn mobike leftcert=sunCert.pem leftid=@sun.strongswan.org leftsubnet=10.2.0.0/16 - right=PH_IP_ALICE1 + right=192.168.0.50 rightid=alice@strongswan.org auto=add diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..d86a461ac --- /dev/null +++ b/testing/tests/ikev2/mobike/hosts/sun/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IPsec tunnel traffic +-A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT +-A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT + +# allow ESP +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike/posttest.dat b/testing/tests/ikev2/mobike/posttest.dat index 32fdf0053..95c963091 100644 --- a/testing/tests/ikev2/mobike/posttest.dat +++ b/testing/tests/ikev2/mobike/posttest.dat @@ -1,5 +1,5 @@ alice::ipsec stop sun::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush sun::ip route del 10.1.0.0/16 via PH_IP_MOON diff --git a/testing/tests/ikev2/mobike/pretest.dat b/testing/tests/ikev2/mobike/pretest.dat index 6666e7794..067c1a1ec 100644 --- a/testing/tests/ikev2/mobike/pretest.dat +++ b/testing/tests/ikev2/mobike/pretest.dat @@ -1,10 +1,9 @@ -alice::/etc/init.d/net.eth1 start -alice::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::ifup eth1 +alice::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules sun::ip route add 10.1.0.0/16 via PH_IP_MOON alice::ipsec start sun::ipsec start -alice::sleep 2 +alice::sleep 2 alice::ipsec up mobike alice::sleep 1 diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf index 24a0cf3a4..70c64c503 100644 --- a/testing/tests/ikev2/mobike/test.conf +++ b/testing/tests/ikev2/mobike/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="bob moon sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat index 897db40ed..65a003d23 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/evaltest.dat @@ -1,12 +1,12 @@ -moon::cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES -moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES +moon:: cat /var/log/daemon.log::parsed IKE_AUTH request.*N(AUTH_FOLLOWS)::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA signature successful::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES -moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES -moon::cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES -moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES -carol::ipsec statusall::home.*ESTABLISHED.*228060123456001@strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +moon:: cat /var/log/daemon.log::authentication of .*228060123456001@strongswan.org.* with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*228060123456001@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA signature successful::YES @@ -15,7 +15,7 @@ dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES moon::cat /var/log/daemon.log::received EAP identity .*228060123456002::YES moon::cat /var/log/daemon.log::RADIUS authentication of '228060123456002' failed::YES moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer 228060123456002@strongswan.org::YES -moon::ipsec statusall::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO +moon::ipsec status 2> /dev/null::rw-mult.*ESTABLISHED.*228060123456002@strongswan.org::NO dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ipsec status 2> /dev/null::home.*ESTABLISHED::NO +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files new file mode 100644 index 000000000..10c26aa15 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/modules/sim_files @@ -0,0 +1,3 @@ +sim_files { + simtriplets = "/etc/freeradius/triplets.dat" +} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11..23cba8d11 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default index dfceb037d..91425f812 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/sites-available/default @@ -59,4 +59,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat index 002ee94d1..aaabab89e 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/triplets.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/triplets.dat @@ -4,4 +4,3 @@ 228060123456002,33000000000000000000000000000000,33112233,335566778899AABB 228060123456002,34000000000000000000000000000000,34112233,345566778899AABB 228060123456002,35000000000000000000000000000000,35112233,355566778899AABB - diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users index e69de29bb..e69de29bb 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index a2020424e..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,5 +0,0 @@ -eap { - default_eap_type = sim - sim { - } -} diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index d77b818fe..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,123 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf - sim_files { - simtriplets = "/etc/raddb/triplets.dat" - } -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf index 26cc0cd92..df4440768 100755..100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 7b4ab49e4..8e872ddae 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf index f8c52be78..01fb6b0a3 100755..100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -9,7 +8,6 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_DAVE diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 7b4ab49e4..8e872ddae 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf index 37d23b1f5..8dc0daeb5 100755..100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf index 2a18af887..aba7eefdf 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat index dbe56013a..6a4da6631 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/posttest.dat @@ -1,7 +1,4 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat index b3fd4cbf1..2d54c6027 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/pretest.dat @@ -1,11 +1,8 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::cat /etc/raddb/clients.conf -alice::cat /etc/raddb/eap.conf -alice::cat /etc/raddb/proxy.conf -alice::cat /etc/raddb/triplets.dat -alice::/etc/init.d/radiusd start +alice::cat /etc/freeradius/clients.conf +alice::cat /etc/freeradius/eap.conf +alice::cat /etc/freeradius/proxy.conf +alice::cat /etc/freeradius/triplets.dat +alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf index 70416826e..42d23a50b 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/test.conf @@ -1,21 +1,25 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat index d2453bbee..03426ac44 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-init/evaltest.dat @@ -1,12 +1,12 @@ carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES -dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES -dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf index a8a6d2b8f..7f045801e 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf index 8647ac813..9306bf9ec 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf index 4c84d183b..776b5a5b3 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat index c8e7adcb7..2eebc0f84 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-init/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/test.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat index 4b827b4dd..dcd271772 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/evaltest.dat @@ -1,12 +1,12 @@ carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES -dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*INSTALLED::YES -dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*INSTALLED::YES +dave:: cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf index 9031a948c..5ee8ba076 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf index 0168be8e1..391bc91a6 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf index 75138581e..565d0d829 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat index f15265e32..86dd31e83 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat index 4a1c7208b..4abcde1e8 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat @@ -1,19 +1,19 @@ -moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -carol::ipsec status::venus.*INSTALLED::NO -moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES -moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES -moon::cat /var/log/daemon.log::switching to peer config.*venus::YES -dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES -dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -dave::ipsec status::alice.*INSTALLED::NO -moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO +moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon:: cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::alice.*moon.strongswan.org.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf index 39996cf42..995b347cf 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf index bbe0d3aa7..91ded3733 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf index e25636a7d..320c0713c 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf index bbe0d3aa7..91ded3733 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 4f4f3228b..000000000 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,80 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow ldap crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf index 46f1030cd..e67c9afb0 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..debcc2181 --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow ldap crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf index cccd6ae27..d0c3f8c49 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat index ec4ba6e10..6f0ec4b97 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/posttest.dat @@ -3,5 +3,5 @@ carol::ipsec stop dave::ipsec stop moon::rm /etc/ipsec.d/cacerts/* winnetou::/etc/init.d/slapd stop -moon::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat index 322f42102..41319ae4d 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/pretest.dat @@ -1,5 +1,5 @@ winnetou::/etc/init.d/slapd start -moon::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/multi-level-ca-ldap/test.conf b/testing/tests/ikev2/multi-level-ca-ldap/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/test.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat index 6b77a8161..85bbe4ab9 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-loop/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::maximum path length of 7 exceeded::YES +moon:: cat /var/log/daemon.log::maximum path length of 7 exceeded::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -carol::ipsec status::alice.*INSTALLED::NO -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO +carol::ipsec status 2> /dev/null::alice.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf index 5c34528a4..991daafe1 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf index 96e493719..7721b2347 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat index 0a0ec22bf..bb538c160 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-loop/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem carol::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/multi-level-ca-loop/test.conf b/testing/tests/ikev2/multi-level-ca-loop/test.conf index 3189fdfc7..a24ec4f1d 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/test.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat index 266f0d0da..913e8f454 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-pathlen/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES +moon:: cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -carol::ipsec status::home.*INSTALLED::NO -moon::ipsec status::duck.*INSTALLED::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::duck.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf index 64539ccc2..e8398629c 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index 47dab951f..bc90242f7 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf index 528dda39b..4d1286f4f 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index 8335e51f6..77bd6782c 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat index 9f0232a7b..e209e60ff 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-pathlen/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start moon::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf index b118cb7dc..587964390 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/test.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou" +VIRTHOSTS="alice venus moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat index 182f9e0fc..008ff2cf8 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::certificate was revoked::YES +moon:: cat /var/log/daemon.log::certificate was revoked::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -moon::ipsec status::alice.*ESTABLISHED::NO -carol::ipsec status::home.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf index a042da6d5..297e348ea 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf index ef1beae7e..a3517967a 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-revoked/test.conf b/testing/tests/ikev2/multi-level-ca-revoked/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/test.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat index a594745b7..90ee6a7a4 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-strict/evaltest.dat @@ -1,6 +1,6 @@ -carol::ipsec status::alice.*INSTALLED::YES -carol::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::ESTABLISHED.*carol@strongswan.org::YES -dave::ipsec status::venus.*INSTALLED::YES -dave::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::ESTABLISHED.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf index 6fcc1578e..d65d37be2 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf index c4b41aa06..121f7d41a 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf index 9c02993e7..a49c833b8 100755..100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat index 67c50c2ef..755564cbc 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca-strict/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/multi-level-ca-strict/test.conf b/testing/tests/ikev2/multi-level-ca-strict/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/test.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index b0814556d..e1c5be4ed 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -1,19 +1,19 @@ -moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -carol::ipsec status::venus.*INSTALLED::NO -moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES -moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES -moon::cat /var/log/daemon.log::switching to peer config.*venus::YES -dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES -dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -dave::ipsec status::alice.*INSTALLED::NO -moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::venus.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org::NO +moon:: cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon:: cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES +moon:: cat /var/log/daemon.log::switching to peer config.*venus::YES +dave:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*dave@strongswan.org::YES +dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES +dave:: ipsec status 2> /dev/null::alice.*INSTALLED::NO +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf index 174e248c2..909118fb1 100755..100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf index 5c90dd4a2..95777460e 100755..100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf index d0240a333..3a5aaa6b6 100755..100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/pretest.dat b/testing/tests/ikev2/multi-level-ca/pretest.dat index 67c50c2ef..755564cbc 100644 --- a/testing/tests/ikev2/multi-level-ca/pretest.dat +++ b/testing/tests/ikev2/multi-level-ca/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/multi-level-ca/test.conf b/testing/tests/ikev2/multi-level-ca/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/multi-level-ca/test.conf +++ b/testing/tests/ikev2/multi-level-ca/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/nat-one-rw/description.txt b/testing/tests/ikev2/nat-one-rw/description.txt deleted file mode 100644 index c3b9bb820..000000000 --- a/testing/tests/ikev2/nat-one-rw/description.txt +++ /dev/null @@ -1,5 +0,0 @@ -The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to -gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. -<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass -the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the -client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev2/nat-one-rw/evaltest.dat b/testing/tests/ikev2/nat-one-rw/evaltest.dat deleted file mode 100644 index 7395e5571..000000000 --- a/testing/tests/ikev2/nat-one-rw/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -alice::ipsec statusall::nat-t.*INSTALLED::YES -sun::ipsec statusall::nat-t.*INSTALLED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 6d9e62e1d..000000000 --- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - keep_alive = 1d - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 339b56987..000000000 --- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-one-rw/posttest.dat b/testing/tests/ikev2/nat-one-rw/posttest.dat deleted file mode 100644 index cd0d4df25..000000000 --- a/testing/tests/ikev2/nat-one-rw/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -alice::ipsec stop -sun::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev2/nat-one-rw/pretest.dat b/testing/tests/ikev2/nat-one-rw/pretest.dat deleted file mode 100644 index a4f5ecd79..000000000 --- a/testing/tests/ikev2/nat-one-rw/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -alice::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::conntrack -F -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -alice::ipsec start -sun::ipsec start -alice::sleep 4 -alice::ipsec up nat-t -alice::sleep 1 - diff --git a/testing/tests/ikev2/nat-one-rw/test.conf b/testing/tests/ikev2/nat-one-rw/test.conf deleted file mode 100644 index d84149aaf..000000000 --- a/testing/tests/ikev2/nat-one-rw/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev2/nat-portswitch/description.txt b/testing/tests/ikev2/nat-portswitch/description.txt deleted file mode 100644 index 93b779ee1..000000000 --- a/testing/tests/ikev2/nat-portswitch/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a connection -to gateway <b>sun</b> using IKEv2. UDP encapsulation is used to traverse the NAT router. -The authentication is based on locally loaded <b>X.509 certificates</b>. -After the IPsec Setup NAT router moon "crashes" (i.e. flushes its conntrack -table) and with the next dpd sent from <b>alice</b> a dynamical address update -should occur in gateway <b>sun</b>. diff --git a/testing/tests/ikev2/nat-portswitch/evaltest.dat b/testing/tests/ikev2/nat-portswitch/evaltest.dat deleted file mode 100644 index 75b01a551..000000000 --- a/testing/tests/ikev2/nat-portswitch/evaltest.dat +++ /dev/null @@ -1,10 +0,0 @@ -sun::ipsec statusall::rw-alice.*ESTABLISHED::YES -alice::ipsec statusall::home.*ESTABLISHED::YES -moon::cmd::iptables -t nat -F::YES -moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:3024-3100::YES -moon::cmd::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:4000-4100::YES -moon::cmd::conntrack -F::YES -alice::cmd::sleep 75::YES -bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP, length: 132::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP, length: 132::YES diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf deleted file mode 100644 index cd9de533a..000000000 --- a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn home - left=PH_IP_ALICE - leftcert=aliceCert.pem - leftid=alice@strongswan.org - right=PH_IP_SUN - rightcert=sunCert.pem - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem deleted file mode 100644 index e7825e3db..000000000 --- a/testing/tests/ikev2/nat-portswitch/hosts/alice/etc/ipsec.d/certs/sunCert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 -foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS -Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC -AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe -zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n -HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G -N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg -KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq -hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i -ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP -Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S -5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE -JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk -Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem deleted file mode 100644 index e99ae8ec7..000000000 --- a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.d/certs/aliceCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz -MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer -GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 -FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W -6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH -v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc -KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG -A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa -60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 -cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu -Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo -2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ -AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 -D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S -CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi -6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re -JGhV ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-portswitch/posttest.dat b/testing/tests/ikev2/nat-portswitch/posttest.dat deleted file mode 100644 index 3b9f53e9b..000000000 --- a/testing/tests/ikev2/nat-portswitch/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -sun::ipsec stop -alice::ipsec stop -sun::rm /etc/ipsec.d/certs/* -alice::rm /etc/ipsec.d/certs/* -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev2/nat-portswitch/pretest.dat b/testing/tests/ikev2/nat-portswitch/pretest.dat deleted file mode 100644 index 17cc4b070..000000000 --- a/testing/tests/ikev2/nat-portswitch/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -sun::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::ipsec start -alice::ipsec start -alice::sleep 1 -alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/nat-portswitch/test.conf b/testing/tests/ikev2/nat-portswitch/test.conf deleted file mode 100644 index d84149aaf..000000000 --- a/testing/tests/ikev2/nat-portswitch/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice sun" diff --git a/testing/tests/ikev2/nat-two-rw-mark/description.txt b/testing/tests/ikev2/nat-rw-mark/description.txt index 2a93d11d8..b8074e665 100644 --- a/testing/tests/ikev2/nat-two-rw-mark/description.txt +++ b/testing/tests/ikev2/nat-rw-mark/description.txt @@ -1,7 +1,7 @@ The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway <b>sun</b> uses Source NAT -after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively. +after ESP decryption to map these subnets to PH_IP_CAROL10 and PH_IP_DAVE10, respectively. <p/> In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using diff --git a/testing/tests/ikev2/nat-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-rw-mark/evaltest.dat new file mode 100644 index 000000000..bb8e856cc --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/evaltest.dat @@ -0,0 +1,18 @@ +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES +sun:: ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4510.*: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4520.*: UDP::YES +bob::tcpdump::PH_IP_CAROL10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::PH_IP_DAVE10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > PH_IP_CAROL10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > PH_IP_DAVE10: ICMP echo reply::YES diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf index 0f7c23845..4c29a07d5 100755..100644 --- a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf index ae4644c4b..aac963e91 100755..100644 --- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="knl 2" conn %default diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown index 0d22e684d..421335ffb 100755 --- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/mark_updown @@ -73,8 +73,12 @@ # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. @@ -128,9 +132,15 @@ # contains the remote UDP port in the case of ESP_IN_UDP # encapsulation # +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# # define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH # uncomment to log VPN connections diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf index c82c3e978..38ef469c5 100755..100644 --- a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-rw-mark/posttest.dat b/testing/tests/ikev2/nat-rw-mark/posttest.dat new file mode 100644 index 000000000..72dff4e10 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/posttest.dat @@ -0,0 +1,12 @@ +sun::iptables -t mangle -v -n -L PREROUTING +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables-restore < /etc/iptables.flush +moon::conntrack -F +sun::iptables-restore < /etc/iptables.flush +sun::conntrack -F +sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat b/testing/tests/ikev2/nat-rw-mark/pretest.dat index 105968f45..6cddfd4fe 100644 --- a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat +++ b/testing/tests/ikev2/nat-rw-mark/pretest.dat @@ -1,21 +1,20 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::iptables-restore < /etc/iptables.rules +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510 moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10 +sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 20 +sun::ipsec start alice::ipsec start venus::ipsec start -sun::ipsec start -alice::sleep 2 +alice::sleep 2 alice::ipsec up nat-t -venus::sleep 2 +venus::sleep 2 venus::ipsec up nat-t venus::sleep 2 diff --git a/testing/tests/ikev2/nat-rw-mark/test.conf b/testing/tests/ikev2/nat-rw-mark/test.conf new file mode 100644 index 000000000..105472cbe --- /dev/null +++ b/testing/tests/ikev2/nat-rw-mark/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon bob" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-rw-mixed/description.txt b/testing/tests/ikev2/nat-rw-mixed/description.txt deleted file mode 100644 index 511a1a874..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> -set up a connection to gateway <b>sun</b>. <b>alice</b> uses the IKEv2 key exchange protocol -whereas <b>venus</b> negotiates the connection via the IKEv1 protocol. -UDP encapsulation is used to traverse the NAT router. -In order to test the tunnel the NAT-ed hosts <b>alice</b> and <b>venus</b> ping the client -<b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat b/testing/tests/ikev2/nat-rw-mixed/evaltest.dat deleted file mode 100644 index 685c1b43f..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -sun::ipsec statusall::rw-alice.*ESTABLISHED::YES -sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES -sun::ipsec status::nat-t.*@venus.strongswan.org::YES -alice::ipsec statusall::home.*ESTABLISHED::YES -sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf deleted file mode 100644 index cd9de533a..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,17 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn home - left=PH_IP_ALICE - leftcert=aliceCert.pem - leftid=alice@strongswan.org - right=PH_IP_SUN - rightcert=sunCert.pem - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem deleted file mode 100644 index e7825e3db..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/hosts/alice/etc/ipsec.d/certs/sunCert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 -foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS -Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC -AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe -zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n -HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G -N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg -KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq -hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i -ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP -Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S -5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE -JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk -Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf deleted file mode 100644 index b85bd607b..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,31 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutodebug=control - crlcheckinterval=180 - nat_traversal=yes - -conn %default - ikelifetime=60m - keylife=20m - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - -conn rw-alice - right=%any - rightcert=aliceCert.pem - rightid=alice@strongswan.org - rightsubnet=10.1.0.0/16 - keyexchange=ikev2 - auto=add - -conn nat-t - leftsubnet=10.2.0.0/16 - right=%any - rightsubnetwithin=10.1.0.0/16 - keyexchange=ikev1 - auto=add diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem deleted file mode 100644 index e99ae8ec7..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/aliceCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz -MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer -GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 -FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W -6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH -v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc -KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG -A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa -60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 -cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu -Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo -2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ -AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 -D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S -CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi -6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re -JGhV ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem b/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem deleted file mode 100644 index 25a6941b0..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/hosts/sun/etc/ipsec.d/certs/venusCert.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz -LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy -Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ -thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON -FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H -wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/ -nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E -BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA -FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE -ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB -ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw -LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww -DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN -rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX -PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B -fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid -hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh -wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA= ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-rw-mixed/posttest.dat b/testing/tests/ikev2/nat-rw-mixed/posttest.dat deleted file mode 100644 index 0a8ce2bbc..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -sun::rm /etc/ipsec.d/certs/* -alice::rm /etc/ipsec.d/certs/* -moon::iptables -t nat -F diff --git a/testing/tests/ikev2/nat-rw-mixed/pretest.dat b/testing/tests/ikev2/nat-rw-mixed/pretest.dat deleted file mode 100644 index d2c5c7df2..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -sun::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 -sun::ipsec start -alice::ipsec start -venus::ipsec start -alice::sleep 1 -venus::ipsec up nat-t -alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/nat-rw-mixed/test.conf b/testing/tests/ikev2/nat-rw-mixed/test.conf deleted file mode 100644 index 84317fd70..000000000 --- a/testing/tests/ikev2/nat-rw-mixed/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-two-rw-psk/description.txt b/testing/tests/ikev2/nat-rw-psk/description.txt index c74897d9a..c74897d9a 100644 --- a/testing/tests/ikev2/nat-two-rw-psk/description.txt +++ b/testing/tests/ikev2/nat-rw-psk/description.txt diff --git a/testing/tests/ikev2/nat-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-rw-psk/evaltest.dat new file mode 100644 index 000000000..6ec29c779 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-psk/evaltest.dat @@ -0,0 +1,9 @@ +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED. TUNNEL, ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_ALICE\]::YES +sun:: ipsec status 2> /dev/null::nat-t.*\[PH_IP_VENUS\]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf index e0ccbb812..089e91ed7 100755..100644 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets index d61e3eb48..d61e3eb48 100644 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.secrets +++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/ipsec.secrets diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..924fd4757 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf index d6b5d4d6f..e939d89ae 100755..100644 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets index 5f2955503..5f2955503 100644 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/ipsec.secrets +++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/ipsec.secrets diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..924fd4757 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf index e0ccbb812..089e91ed7 100755..100644 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets index 9cd66b1df..9cd66b1df 100644 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/ipsec.secrets +++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/ipsec.secrets diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..924fd4757 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-rw-psk/posttest.dat b/testing/tests/ikev2/nat-rw-psk/posttest.dat new file mode 100644 index 000000000..4643a3a7b --- /dev/null +++ b/testing/tests/ikev2/nat-rw-psk/posttest.dat @@ -0,0 +1,8 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev2/nat-two-rw-psk/pretest.dat b/testing/tests/ikev2/nat-rw-psk/pretest.dat index 5e23259bb..c5d091f32 100644 --- a/testing/tests/ikev2/nat-two-rw-psk/pretest.dat +++ b/testing/tests/ikev2/nat-rw-psk/pretest.dat @@ -1,15 +1,14 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::rm /etc/ipsec.d/cacerts/* venus::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* +sun::ipsec start alice::ipsec start venus::ipsec start -sun::ipsec start alice::sleep 2 alice::ipsec up nat-t venus::sleep 2 diff --git a/testing/tests/ikev2/nat-rw-psk/test.conf b/testing/tests/ikev2/nat-rw-psk/test.conf new file mode 100644 index 000000000..f515d4bc7 --- /dev/null +++ b/testing/tests/ikev2/nat-rw-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-two-rw/description.txt b/testing/tests/ikev2/nat-rw/description.txt index dcf4b94bd..dcf4b94bd 100644 --- a/testing/tests/ikev2/nat-two-rw/description.txt +++ b/testing/tests/ikev2/nat-rw/description.txt diff --git a/testing/tests/ikev2/nat-rw/evaltest.dat b/testing/tests/ikev2/nat-rw/evaltest.dat new file mode 100644 index 000000000..387dbae23 --- /dev/null +++ b/testing/tests/ikev2/nat-rw/evaltest.dat @@ -0,0 +1,18 @@ +alice::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*alice@strongswan.org.*sun.strongswan.org::YES +venus::ipsec status 2> /dev/null::nat-t.*ESTABLISHED.*venus.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[1]: ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +sun:: ipsec status 2> /dev/null::nat-t\[2]: ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +alice::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +venus::ipsec status 2> /dev/null::nat-t.*INSTALLED, TUNNEL, ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]1}.*INSTALLED, TUNNEL, ESP in UDP::YES +sun:: ipsec status 2> /dev/null::nat-t[{]2}.*INSTALLED, TUNNEL, ESP in UDP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon:: sleep 6::no output expected::NO +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: UDP-encap: ESP::YES +moon::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.*: UDP-encap: ESP::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.4500: isakmp-nat-keep-alive::YES +alice::cat /var/log/daemon.log::sending keep alive::YES +venus::cat /var/log/daemon.log::sending keep alive::YES diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf index 3da2fcf86..3e85551c9 100755..100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -13,7 +10,7 @@ conn %default keyexchange=ikev2 conn nat-t - left=%defaultroute + left=%any leftcert=aliceCert.pem leftid=alice@strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..dabff38e4 --- /dev/null +++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf index a7722142f..06105ade0 100644 --- a/testing/tests/ikev2/nat-portswitch/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/ipsec.conf @@ -1,20 +1,20 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -version 2.0 # conforms to second version of ipsec.conf specification - config setup - plutostart=no conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t left=PH_IP_SUN leftcert=sunCert.pem leftid=@sun.strongswan.org + leftfirewall=yes leftsubnet=10.2.0.0/16 - keyexchange=ikev2 - -conn rw-alice right=%any - rightcert=aliceCert.pem - rightid=alice@strongswan.org rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..ae8f9a61e --- /dev/null +++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow IKE +-A INPUT -i eth0 -p udp --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca23c6971 --- /dev/null +++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf index 3a70b3434..57364be7f 100755..100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -13,7 +10,7 @@ conn %default keyexchange=ikev2 conn nat-t - left=%defaultroute + left=%any leftcert=venusCert.pem leftid=@venus.strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..dabff38e4 --- /dev/null +++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + keep_alive = 5 +} diff --git a/testing/tests/ikev2/nat-rw/posttest.dat b/testing/tests/ikev2/nat-rw/posttest.dat new file mode 100644 index 000000000..4643a3a7b --- /dev/null +++ b/testing/tests/ikev2/nat-rw/posttest.dat @@ -0,0 +1,8 @@ +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev2/nat-two-rw/pretest.dat b/testing/tests/ikev2/nat-rw/pretest.dat index e365ff5c5..f58e82adc 100644 --- a/testing/tests/ikev2/nat-two-rw/pretest.dat +++ b/testing/tests/ikev2/nat-rw/pretest.dat @@ -1,7 +1,7 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::conntrack -F moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 alice::ipsec start diff --git a/testing/tests/ikev2/nat-rw/test.conf b/testing/tests/ikev2/nat-rw/test.conf new file mode 100644 index 000000000..f515d4bc7 --- /dev/null +++ b/testing/tests/ikev2/nat-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat deleted file mode 100644 index 74ba178d9..000000000 --- a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat +++ /dev/null @@ -1,16 +0,0 @@ -alice::ipsec statusall::nat-t.*INSTALLED::YES -venus::ipsec statusall::nat-t.*INSTALLED::YES -sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES -sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES -sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES -sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES -bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES -bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 339b56987..000000000 --- a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 339b56987..000000000 --- a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 339b56987..000000000 --- a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat deleted file mode 100644 index 89d5f534b..000000000 --- a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat +++ /dev/null @@ -1,11 +0,0 @@ -sun::iptables -t mangle -v -n -L PREROUTING -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F -sun::conntrack -F -sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2/nat-two-rw-mark/test.conf b/testing/tests/ikev2/nat-two-rw-mark/test.conf deleted file mode 100644 index ae3c190b8..000000000 --- a/testing/tests/ikev2/nat-two-rw-mark/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon bob" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat b/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat deleted file mode 100644 index 2cab168f0..000000000 --- a/testing/tests/ikev2/nat-two-rw-psk/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -alice::ipsec statusall::nat-t.*INSTALLED::YES -venus::ipsec statusall::nat-t.*INSTALLED::YES -sun::ipsec statusall::nat-t.*INSTALLED::YES -sun::ipsec status::nat-t.*\[PH_IP_ALICE\]::YES -sun::ipsec status::nat-t.*\[PH_IP_VENUS\]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 882ea04a5..000000000 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 882ea04a5..000000000 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 882ea04a5..000000000 --- a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw-psk/posttest.dat b/testing/tests/ikev2/nat-two-rw-psk/posttest.dat deleted file mode 100644 index 52572ece8..000000000 --- a/testing/tests/ikev2/nat-two-rw-psk/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev2/nat-two-rw-psk/test.conf b/testing/tests/ikev2/nat-two-rw-psk/test.conf deleted file mode 100644 index 84317fd70..000000000 --- a/testing/tests/ikev2/nat-two-rw-psk/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-two-rw/evaltest.dat b/testing/tests/ikev2/nat-two-rw/evaltest.dat deleted file mode 100644 index bd0a4b52b..000000000 --- a/testing/tests/ikev2/nat-two-rw/evaltest.dat +++ /dev/null @@ -1,9 +0,0 @@ -alice::ipsec statusall::nat-t.*INSTALLED::YES -venus::ipsec statusall::nat-t.*INSTALLED::YES -sun::ipsec statusall::nat-t.*INSTALLED::YES -sun::ipsec status::alice@strongswan.org::YES -sun::ipsec status::venus.strongswan.org::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES -moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 339b56987..000000000 --- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 339b56987..000000000 --- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf deleted file mode 100644 index 339b56987..000000000 --- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown -} diff --git a/testing/tests/ikev2/nat-two-rw/posttest.dat b/testing/tests/ikev2/nat-two-rw/posttest.dat deleted file mode 100644 index 52572ece8..000000000 --- a/testing/tests/ikev2/nat-two-rw/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -sun::ipsec stop -alice::ipsec stop -venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::iptables -t nat -F -moon::conntrack -F diff --git a/testing/tests/ikev2/nat-two-rw/test.conf b/testing/tests/ikev2/nat-two-rw/test.conf deleted file mode 100644 index 84317fd70..000000000 --- a/testing/tests/ikev2/nat-two-rw/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat index 75d5ffbd3..c60ffc772 100644 --- a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat @@ -1,7 +1,7 @@ -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf index e43e0d785..46fc364dd 100755..100644 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf index cb3d46293..8e685c862 100644 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf index 9cede8d56..1d7ba47ee 100755..100644 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf index cb3d46293..8e685c862 100644 --- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat index ee30e2c59..11bd19da7 100644 --- a/testing/tests/ikev2/nat-virtual-ip/posttest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush moon::conntrack -F moon::rm /etc/nat_updown diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat index abbca90d7..eb0c28c7f 100644 --- a/testing/tests/ikev2/nat-virtual-ip/pretest.dat +++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat @@ -1,7 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::conntrack -F -moon::echo 1 > /proc/sys/net/ipv4/ip_forward moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf index 1971a33ab..f46f137b4 100644 --- a/testing/tests/ikev2/nat-virtual-ip/test.conf +++ b/testing/tests/ikev2/nat-virtual-ip/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun bob" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-cert/evaltest.dat b/testing/tests/ikev2/net2net-cert/evaltest.dat index e67c39a08..2b37cad99 100644 --- a/testing/tests/ikev2/net2net-cert/evaltest.dat +++ b/testing/tests/ikev2/net2net-cert/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf index 562f26826..2d31a19d2 100755..100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index cb17a9e07..94e0b2a62 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf index 24e5df519..06bfa038b 100755..100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index cb17a9e07..94e0b2a62 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/posttest.dat b/testing/tests/ikev2/net2net-cert/posttest.dat index a4c96e10f..837738fc6 100644 --- a/testing/tests/ikev2/net2net-cert/posttest.dat +++ b/testing/tests/ikev2/net2net-cert/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-cert/pretest.dat b/testing/tests/ikev2/net2net-cert/pretest.dat index 2d7a78acb..c724e5df8 100644 --- a/testing/tests/ikev2/net2net-cert/pretest.dat +++ b/testing/tests/ikev2/net2net-cert/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-cert/test.conf b/testing/tests/ikev2/net2net-cert/test.conf index d9a61590f..646b8b3e6 100644 --- a/testing/tests/ikev2/net2net-cert/test.conf +++ b/testing/tests/ikev2/net2net-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt new file mode 100644 index 000000000..9893359c0 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b> +resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat new file mode 100644 index 000000000..389cac7f3 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat @@ -0,0 +1,9 @@ +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES +sun:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..ea10eb0a3 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftid=moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftsigkey=moonPub.der + leftauth=pubkey + leftfirewall=yes + right=sun.strongswan.org + rightid=sun.strongswan.org + rightsubnet=10.2.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der Binary files differnew file mode 100644 index 000000000..71571044c --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..44a54a9dd --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown + + plugins { + ipseckey { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..9e310050d --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftid=sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftsigkey=sunPub.der + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der Binary files differnew file mode 100644 index 000000000..cc99934db --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..44a54a9dd --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown + + plugins { + ipseckey { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat new file mode 100644 index 000000000..c594c4dc8 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/resolv.conf +sun::rm /etc/resolv.conf +moon::rm /etc/ipsec.d/dnssec.keys +sun::rm /etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat new file mode 100644 index 000000000..0f4ae0f4f --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-esn/evaltest.dat b/testing/tests/ikev2/net2net-esn/evaltest.dat index 928783c87..63058eb88 100644 --- a/testing/tests/ikev2/net2net-esn/evaltest.dat +++ b/testing/tests/ikev2/net2net-esn/evaltest.dat @@ -1,14 +1,16 @@ -sun::cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES -sun::cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES -sun::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES -moon::cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES -moon::ip -s xfrm state::flag af-unspec.*(0x10100000)::YES +sun:: cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES +sun:: cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES +sun:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES +moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES +moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -moon::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES -sun::ipsec statusall::AES_CBC_128/HMAC_SHA1_96/ESN::YES +moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES +sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf index 98f4864d3..3418e63c4 100755..100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="cfg 2, knl 2" conn %default diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf index 26fde389e..f0b6c906f 100755..100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="cfg 2, knl 2" conn %default diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-esn/posttest.dat b/testing/tests/ikev2/net2net-esn/posttest.dat index a4c96e10f..837738fc6 100644 --- a/testing/tests/ikev2/net2net-esn/posttest.dat +++ b/testing/tests/ikev2/net2net-esn/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-esn/pretest.dat b/testing/tests/ikev2/net2net-esn/pretest.dat index 2d7a78acb..c724e5df8 100644 --- a/testing/tests/ikev2/net2net-esn/pretest.dat +++ b/testing/tests/ikev2/net2net-esn/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-esn/test.conf b/testing/tests/ikev2/net2net-esn/test.conf index d9a61590f..646b8b3e6 100644 --- a/testing/tests/ikev2/net2net-esn/test.conf +++ b/testing/tests/ikev2/net2net-esn/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat index 1a3759e34..460c659d9 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat +++ b/testing/tests/ikev2/net2net-pgp-v3/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec status::net-net.*INSTALLED::YES -sun::ipsec status::net-net.*INSTALLED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun <sun.strongswan.org>::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun <sun.strongswan.org>.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf index 405cd06bf..7601113ab 100755..100644 --- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf index 949b9af16..8accff27c 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf index 4460106de..641c3d929 100755..100644 --- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf index 949b9af16..8accff27c 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat index fafcde975..9a9513dc3 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/posttest.dat +++ b/testing/tests/ikev2/net2net-pgp-v3/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/private/* sun::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat index 9e40684ab..0f4ae0f4f 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/pretest.dat +++ b/testing/tests/ikev2/net2net-pgp-v3/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start diff --git a/testing/tests/ikev2/net2net-pgp-v3/test.conf b/testing/tests/ikev2/net2net-pgp-v3/test.conf index f74d0f7d6..afa2accbe 100644 --- a/testing/tests/ikev2/net2net-pgp-v3/test.conf +++ b/testing/tests/ikev2/net2net-pgp-v3/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat index 1a3759e34..f74eb6a19 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat +++ b/testing/tests/ikev2/net2net-pgp-v4/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec status::net-net.*INSTALLED::YES -sun::ipsec status::net-net.*INSTALLED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*b4:2f:31:fe:c8:0a:e3:26:4a:10:1c:85:97:7a:04:ac:8d:16:38:d3.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf index d059cb1da..06a26b64b 100755..100644 --- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf index 949b9af16..8accff27c 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf index 198f2a8a8..cff03c4c6 100755..100644 --- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf index 949b9af16..8accff27c 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random stroke kernel-netlink socket-default updown + load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat index fafcde975..9a9513dc3 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/posttest.dat +++ b/testing/tests/ikev2/net2net-pgp-v4/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/private/* sun::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat index 9e40684ab..0f4ae0f4f 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/pretest.dat +++ b/testing/tests/ikev2/net2net-pgp-v4/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start diff --git a/testing/tests/ikev2/net2net-pgp-v4/test.conf b/testing/tests/ikev2/net2net-pgp-v4/test.conf index f74d0f7d6..afa2accbe 100644 --- a/testing/tests/ikev2/net2net-pgp-v4/test.conf +++ b/testing/tests/ikev2/net2net-pgp-v4/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-pkcs12/description.txt b/testing/tests/ikev2/net2net-pkcs12/description.txt new file mode 100644 index 000000000..e66ea1918 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b> and an RSA private key stored in +<b>PKCS12</b> format. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-pkcs12/evaltest.dat b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat new file mode 100644 index 000000000..2b37cad99 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf index 8db43213f..0296e1804 100755..100644 --- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,11 +8,12 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 + mobike=no -conn nat-t - left=%defaultroute - leftcert=aliceCert.pem - leftid=alice@strongswan.org +conn net-net + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 leftfirewall=yes right=PH_IP_SUN rightid=@sun.strongswan.org diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 Binary files differnew file mode 100644 index 000000000..d3cca4fd5 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.d/private/moonCert.p12 diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..802cfc681 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: P12 moonCert.p12 "kUqd8O7mzbjXNJKQ" diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4628e70ce --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf index a2c168601..6dcedd0e6 100755..100644 --- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf @@ -1,35 +1,21 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m - keyingtries=1 + keyingtries=1 keyexchange=ikev2 + mobike=no + +conn net-net left=PH_IP_SUN - leftcert=sunCert.pem leftid=@sun.strongswan.org - leftfirewall=yes - -conn net-net leftsubnet=10.2.0.0/16 - right=PH_IP_MOON - rightsubnet=10.1.0.0/16 - rightid=@moon.strongswan.org - auto=add - -conn host-host + leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org - auto=add - -conn nat-t - leftsubnet=10.2.0.0/16 - right=%any - rightsubnet=10.1.0.10/32 + rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 Binary files differnew file mode 100644 index 000000000..1a9e2aa01 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.d/private/sunCert.p12 diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..3dc85528c --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: P12 sunCert.p12 "IxjQVCF3JGI+MoPi" + + + + + diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..4628e70ce --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-pkcs12/posttest.dat b/testing/tests/ikev2/net2net-pkcs12/posttest.dat new file mode 100644 index 000000000..0fbba487c --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/ipsec.d/private/moonCert.p12 +sun::rm /etc/ipsec.d/private/sunCert.p12 diff --git a/testing/tests/ikev2/net2net-pkcs12/pretest.dat b/testing/tests/ikev2/net2net-pkcs12/pretest.dat new file mode 100644 index 000000000..3492238f0 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/pretest.dat @@ -0,0 +1,10 @@ +moon::rm /etc/ipsec.d/private/moonKey.pem +moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem +sun::rm /etc/ipsec.d/private/sunKey.pem +sun::rm /etc/ipsec.d/cacerts/strongswanCert.pem +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-pkcs12/test.conf b/testing/tests/ikev2/net2net-pkcs12/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/ikev2/net2net-pkcs12/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat index 5881d9246..113c3d9c0 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat +++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat @@ -1,8 +1,8 @@ -moon::ipsec statusall::dscp-be.*ESTABLISHED::YES -moon::ipsec statusall::dscp-ef.*ESTABLISHED::YES -sun::ipsec statusall::dscp-be.*ESTABLISHED::YES -sun::ipsec statusall::dscp-ef.*ESTABLISHED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*moon-be.*sun-be::YES +moon:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*moon-ef.*sun-ef::YES +sun:: ipsec status 2> /dev/null::dscp-be.*ESTABLISHED.*sun-be.*moon-be::YES +sun:: ipsec status 2> /dev/null::dscp-ef.*ESTABLISHED.*sun-ef.*moon-ef::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf index d78d27c1a..aeaebe1f4 100755..100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="knl 2" conn %default @@ -15,15 +12,15 @@ conn %default mobike=no conn dscp-be - leftid=@sun-be - rightid=@moon-be + leftid=@moon-be + rightid=@sun-be mark=10 also=net-net auto=add conn dscp-ef - leftid=@sun-ef - rightid=@moon-ef + leftid=@moon-ef + rightid=@sun-ef mark=20 also=net-net auto=add diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf index 5e8f49b17..54cdfd9bc 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf index 9d2ef7471..8b54476fd 100755..100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="knl 2" conn %default @@ -15,15 +12,15 @@ conn %default mobike=no conn dscp-be - leftid=@moon-be - rightid=@sun-be + leftid=@sun-be + rightid=@moon-be mark=10 also=net-net auto=add conn dscp-ef - leftid=@moon-ef - rightid=@sun-ef + leftid=@sun-ef + rightid=@moon-ef mark=20 also=net-net auto=add diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf index 5e8f49b17..54cdfd9bc 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat index d070c1443..21a22bfb8 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat +++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush alice::iptables -t mangle -F OUTPUT venus::iptables -t mangle -F OUTPUT bob::iptables -t mangle -F OUTPUT diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat index 058c24f8f..0495890dd 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat +++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat @@ -1,7 +1,7 @@ moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf index 13a8a2a48..10c582c9b 100644 --- a/testing/tests/ikev2/net2net-psk-dscp/test.conf +++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon winnetou sun bob" +VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-psk-fail/description.txt b/testing/tests/ikev2/net2net-psk-fail/description.txt new file mode 100644 index 000000000..d41b2c954 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/description.txt @@ -0,0 +1,4 @@ +A connection between the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>Preshared Keys</b> (PSK), but gateway <b>moon</b> +uses a wrong PSK. Therefore the connection setup is aborted by gateway <b>sun</b> +by sending an <b>AUTHENTICATION_FAILED</b> notify error. diff --git a/testing/tests/ikev2/net2net-psk-fail/evaltest.dat b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat new file mode 100644 index 000000000..3f5092893 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/evaltest.dat @@ -0,0 +1,6 @@ +sun:: cat /var/log/daemon.log::tried 1 shared key for.*sun.strongswan.org.*moon.strongswan.org.*but MAC mismatched::YES +moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::NO +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::NO +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::NO diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f495194a7 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..38ebf966c --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,4 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2dxxxx + diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5db4358d6 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf index d8b426318..26f16ac6e 100755..100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -1,35 +1,22 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 + authby=secret keyexchange=ikev2 - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftfirewall=yes + mobike=no conn net-net + left=PH_IP_SUN leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org auto=add - -conn host-host - right=PH_IP_MOON - rightid=@moon.strongswan.org - auto=add - -conn nat-t - leftsubnet=10.2.0.0/16 - right=%any - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..5db4358d6 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-psk-fail/posttest.dat b/testing/tests/ikev2/net2net-psk-fail/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-psk-fail/pretest.dat b/testing/tests/ikev2/net2net-psk-fail/pretest.dat new file mode 100644 index 000000000..cb9282595 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-psk-fail/test.conf b/testing/tests/ikev2/net2net-psk-fail/test.conf new file mode 100644 index 000000000..eb4822b5d --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-psk/evaltest.dat b/testing/tests/ikev2/net2net-psk/evaltest.dat index e67c39a08..2b37cad99 100644 --- a/testing/tests/ikev2/net2net-psk/evaltest.dat +++ b/testing/tests/ikev2/net2net-psk/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf index 15d8ddb11..f495194a7 100755..100644 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets index cbdddfb18..ba909a234 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/ipsec.secrets @@ -8,5 +8,5 @@ : PSK 'My "home" is my "castle"!' -192.168.0.1 : PSK "Andi's home" +PH_IP_MOON : PSK "Andi's home" diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf index 4e2fcf17b..5db4358d6 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf index e145d9974..26f16ac6e 100755..100644 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf index 4e2fcf17b..5db4358d6 100644 --- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk/posttest.dat b/testing/tests/ikev2/net2net-psk/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev2/net2net-psk/posttest.dat +++ b/testing/tests/ikev2/net2net-psk/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-psk/pretest.dat b/testing/tests/ikev2/net2net-psk/pretest.dat index 976a196db..cb9282595 100644 --- a/testing/tests/ikev2/net2net-psk/pretest.dat +++ b/testing/tests/ikev2/net2net-psk/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start diff --git a/testing/tests/ikev2/net2net-psk/test.conf b/testing/tests/ikev2/net2net-psk/test.conf index f74d0f7d6..afa2accbe 100644 --- a/testing/tests/ikev2/net2net-psk/test.conf +++ b/testing/tests/ikev2/net2net-psk/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-pubkey/evaltest.dat b/testing/tests/ikev2/net2net-pubkey/evaltest.dat index 0ccfb7efd..bc03a39fb 100644 --- a/testing/tests/ikev2/net2net-pubkey/evaltest.dat +++ b/testing/tests/ikev2/net2net-pubkey/evaltest.dat @@ -1,7 +1,7 @@ -moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status::INSTALLED, TUNNEL::YES -sun::ipsec status::INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf index 945cf3a40..bcc6d5b69 100755..100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -14,12 +13,12 @@ conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org - leftrsasigkey=moonPub.der + leftsigkey=moonPub.der leftauth=pubkey leftfirewall=yes right=PH_IP_SUN rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org - rightrsasigkey=sunPub.der + rightsigkey=sunPub.der rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf index 0581bae5c..3cd90047f 100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown + load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown } diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf index 5c07de8a2..4fe2e67de 100755..100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -14,10 +13,10 @@ conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftid=@sun.strongswan.org - leftrsasigkey=sunPub.der + leftsigkey=sunPub.der leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - rightrsasigkey=moonPub.der + rightsigkey=moonPub.der auto=add diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf index 0581bae5c..3cd90047f 100644 --- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown + load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown } diff --git a/testing/tests/ikev2/net2net-pubkey/posttest.dat b/testing/tests/ikev2/net2net-pubkey/posttest.dat index 65b18b7ca..675b02976 100644 --- a/testing/tests/ikev2/net2net-pubkey/posttest.dat +++ b/testing/tests/ikev2/net2net-pubkey/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/private/moonKey.der sun::rm /etc/ipsec.d/private/sunKey.der moon::rm /etc/ipsec.d/certs/*.der diff --git a/testing/tests/ikev2/net2net-pubkey/pretest.dat b/testing/tests/ikev2/net2net-pubkey/pretest.dat index 9e40684ab..0f4ae0f4f 100644 --- a/testing/tests/ikev2/net2net-pubkey/pretest.dat +++ b/testing/tests/ikev2/net2net-pubkey/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start diff --git a/testing/tests/ikev2/net2net-pubkey/test.conf b/testing/tests/ikev2/net2net-pubkey/test.conf index f74d0f7d6..afa2accbe 100644 --- a/testing/tests/ikev2/net2net-pubkey/test.conf +++ b/testing/tests/ikev2/net2net-pubkey/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat index 149cf727a..e8e1a46e4 100644 --- a/testing/tests/ikev2/net2net-rfc3779/evaltest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/evaltest.dat @@ -1,15 +1,15 @@ -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES -moon::cat /var/log/daemon.log::subject address block 192.168.0.2/32 is contained in issuer address block 192.168.0.0/24::YES -moon::cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES -moon::cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES -sun::cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES -sun::cat /var/log/daemon.log::subject address block 192.168.0.1/32 is contained in issuer address block 192.168.0.0/24::YES -sun::cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES -sun::cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES -moon::cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES -sun::cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::subject address block 10.2.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES +moon:: cat /var/log/daemon.log::subject address block PH_IP_SUN/32 is contained in issuer address block 192.168.0.0/24::YES +moon:: cat /var/log/daemon.log::subject address block fec0:\:2/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +moon:: cat /var/log/daemon.log::subject address block fec2:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +sun:: cat /var/log/daemon.log::subject address block 10.1.0.0/16 is contained in issuer address block 10.1.0.0..10.2.255.255::YES +sun:: cat /var/log/daemon.log::subject address block PH_IP_MOON/32 is contained in issuer address block 192.168.0.0/24::YES +sun:: cat /var/log/daemon.log::subject address block fec0:\:1/128 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +sun:: cat /var/log/daemon.log::subject address block fec1:\:/16 is contained in issuer address block fec0:\:..fec2:ffff:ffff:ffff:ffff:ffff:ffff:ffff::YES +moon:: cat /var/log/daemon.log::TS 10.2.0.0/16 is contained in address block constraint 10.2.0.0/16::YES +sun:: cat /var/log/daemon.log::TS 10.1.0.0/16 is contained in address block constraint 10.1.0.0/16::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf index ce59d849c..9ba918893 100755..100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="cfg 2" conn %default diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf index 025e1c222..f1e81ea2f 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf index afc2e399e..d41e43a5c 100755..100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="cfg 2" conn %default diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf index 025e1c222..f1e81ea2f 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-rfc3779/posttest.dat b/testing/tests/ikev2/net2net-rfc3779/posttest.dat index a4c96e10f..837738fc6 100644 --- a/testing/tests/ikev2/net2net-rfc3779/posttest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-rfc3779/pretest.dat b/testing/tests/ikev2/net2net-rfc3779/pretest.dat index 545a3690e..9fe2860b9 100644 --- a/testing/tests/ikev2/net2net-rfc3779/pretest.dat +++ b/testing/tests/ikev2/net2net-rfc3779/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-rfc3779/test.conf b/testing/tests/ikev2/net2net-rfc3779/test.conf index d9a61590f..646b8b3e6 100644 --- a/testing/tests/ikev2/net2net-rfc3779/test.conf +++ b/testing/tests/ikev2/net2net-rfc3779/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-route/evaltest.dat b/testing/tests/ikev2/net2net-route/evaltest.dat index a89e5a298..77ab6e7c6 100644 --- a/testing/tests/ikev2/net2net-route/evaltest.dat +++ b/testing/tests/ikev2/net2net-route/evaltest.dat @@ -1,6 +1,8 @@ -moon::cat /var/log/daemon.log::creating acquire job::YES -moon::ipsec statusall::net-net.*INSTALLED::YES -sun::ipsec statusall::net-net.*INSTALLED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::creating acquire job::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf index 8a2f8b77c..c374cd6b4 100755..100644 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf index 24e5df519..06bfa038b 100755..100644 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/posttest.dat b/testing/tests/ikev2/net2net-route/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev2/net2net-route/posttest.dat +++ b/testing/tests/ikev2/net2net-route/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-route/pretest.dat b/testing/tests/ikev2/net2net-route/pretest.dat index 2eef7de19..e4ee3fac2 100644 --- a/testing/tests/ikev2/net2net-route/pretest.dat +++ b/testing/tests/ikev2/net2net-route/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 2 diff --git a/testing/tests/ikev2/net2net-route/test.conf b/testing/tests/ikev2/net2net-route/test.conf index d9a61590f..646b8b3e6 100644 --- a/testing/tests/ikev2/net2net-route/test.conf +++ b/testing/tests/ikev2/net2net-route/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-rsa/evaltest.dat b/testing/tests/ikev2/net2net-rsa/evaltest.dat index 0ccfb7efd..bc03a39fb 100644 --- a/testing/tests/ikev2/net2net-rsa/evaltest.dat +++ b/testing/tests/ikev2/net2net-rsa/evaltest.dat @@ -1,7 +1,7 @@ -moon::ipsec status::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES -sun::ipsec status::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES -moon::ipsec status::INSTALLED, TUNNEL::YES -sun::ipsec status::INSTALLED, TUNNEL::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf index 61b9b710a..c0ee06240 100755..100644 --- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -14,12 +13,12 @@ conn net-net left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org - leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + leftsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj leftauth=pubkey leftfirewall=yes right=PH_IP_SUN rightsubnet=10.2.0.0/16 rightid=@sun.strongswan.org - rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + rightsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT rightauth=pubkey auto=add diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf index 3bc16ccda..e1efec866 100644 --- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown } diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf index 24e20dc25..b089e9f48 100755..100644 --- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -14,10 +13,10 @@ conn net-net left=PH_IP_SUN leftsubnet=10.2.0.0/16 leftid=@sun.strongswan.org - leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + leftsigkey=dns:0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT leftfirewall=yes right=PH_IP_MOON rightsubnet=10.1.0.0/16 rightid=@moon.strongswan.org - rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + rightsigkey=dns:0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj auto=add diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf index 3bc16ccda..e1efec866 100644 --- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random curl kernel-netlink socket-default stroke updown + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown } diff --git a/testing/tests/ikev2/net2net-rsa/posttest.dat b/testing/tests/ikev2/net2net-rsa/posttest.dat index a199946aa..f7fe7dc48 100644 --- a/testing/tests/ikev2/net2net-rsa/posttest.dat +++ b/testing/tests/ikev2/net2net-rsa/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/private/moonKey.der sun::rm /etc/ipsec.d/private/sunKey.der diff --git a/testing/tests/ikev2/net2net-rsa/pretest.dat b/testing/tests/ikev2/net2net-rsa/pretest.dat index 9e40684ab..0f4ae0f4f 100644 --- a/testing/tests/ikev2/net2net-rsa/pretest.dat +++ b/testing/tests/ikev2/net2net-rsa/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* sun::rm /etc/ipsec.d/cacerts/* moon::ipsec start diff --git a/testing/tests/ikev2/net2net-rsa/test.conf b/testing/tests/ikev2/net2net-rsa/test.conf index f74d0f7d6..afa2accbe 100644 --- a/testing/tests/ikev2/net2net-rsa/test.conf +++ b/testing/tests/ikev2/net2net-rsa/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat index bf99bb278..3b479cefa 100644 --- a/testing/tests/ikev2/net2net-same-nets/evaltest.dat +++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat @@ -1,7 +1,9 @@ -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES -bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_req=1::YES +bob:: ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf index 8f43a4f6e..077a3ed08 100755..100644 --- a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf index 33e1e6656..af85e186a 100755..100644 --- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown index c64158a2f..bdba3fb05 100755 --- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown @@ -73,8 +73,12 @@ # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. @@ -128,9 +132,15 @@ # contains the remote UDP port in the case of ESP_IN_UDP # encapsulation # +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# # define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH # check parameter(s) @@ -196,8 +206,8 @@ up-client:) iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ -d $OUT_NET -j NETMAP --to $SAME_NET iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT - iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ - -s $SAME_NET -j NETMAP --to $IN_NET + iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -s $SAME_NET -j NETMAP --to $IN_NET fi ;; down-client:) @@ -215,7 +225,11 @@ down-client:) if [ -n "$PLUTO_MARK_OUT" ] then iptables -t mangle -D PREROUTING $SET_MARK_OUT + iptables -t nat -D PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -d $OUT_NET -j NETMAP --to $SAME_NET iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -s $SAME_NET -j NETMAP --to $IN_NET fi ;; *) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat index e75e66650..b0225c37e 100644 --- a/testing/tests/ikev2/net2net-same-nets/posttest.dat +++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat @@ -2,6 +2,6 @@ sun::iptables -t mangle -n -v -L PREROUTING sun::iptables -t nat -n -v -L moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush sun::conntrack -F diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat index 2d7a78acb..c724e5df8 100644 --- a/testing/tests/ikev2/net2net-same-nets/pretest.dat +++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf index 1971a33ab..f46f137b4 100644 --- a/testing/tests/ikev2/net2net-same-nets/test.conf +++ b/testing/tests/ikev2/net2net-same-nets/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun bob" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-start/evaltest.dat b/testing/tests/ikev2/net2net-start/evaltest.dat index 244dec5bf..f003f822f 100644 --- a/testing/tests/ikev2/net2net-start/evaltest.dat +++ b/testing/tests/ikev2/net2net-start/evaltest.dat @@ -1,5 +1,7 @@ -moon::ipsec statusall::net-net.*INSTALLED::YES -sun::ipsec statusall::net-net.*INSTALLED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf index 1cc812864..fa611ff09 100755..100644 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf index 24e5df519..06bfa038b 100755..100644 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/posttest.dat b/testing/tests/ikev2/net2net-start/posttest.dat index 5a9150bc8..1f7aa73a1 100644 --- a/testing/tests/ikev2/net2net-start/posttest.dat +++ b/testing/tests/ikev2/net2net-start/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-start/pretest.dat b/testing/tests/ikev2/net2net-start/pretest.dat index 6e41d5245..9d23c553e 100644 --- a/testing/tests/ikev2/net2net-start/pretest.dat +++ b/testing/tests/ikev2/net2net-start/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules sun::ipsec start sun::sleep 2 moon::ipsec start -alice::sleep 3 +moon::sleep 3 diff --git a/testing/tests/ikev2/net2net-start/test.conf b/testing/tests/ikev2/net2net-start/test.conf index d9a61590f..646b8b3e6 100644 --- a/testing/tests/ikev2/net2net-start/test.conf +++ b/testing/tests/ikev2/net2net-start/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat index c08a17943..e931afb7e 100644 --- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat @@ -1,12 +1,12 @@ -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::requesting ocsp status from::YES -moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES -moon::cat /var/log/daemon.log::ocsp response is valid::YES -moon::cat /var/log/daemon.log::certificate status is good::YES -carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES +moon:: cat /var/log/daemon.log::requesting ocsp status from::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon:: cat /var/log/daemon.log::ocsp response is valid::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES +carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES carol::cat /var/log/daemon.log::requesting ocsp status from::YES carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf index e2602f08a..05e27f641 100755..100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf index 119d14a42..e441e661f 100755..100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index dda793f44..4e2cc2860 100755 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -5,7 +5,7 @@ cd /etc/openssl echo "Content-type: application/ocsp-response" echo "" -/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \ - -resp_no_certs -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout +cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \ + -resp_no_certs -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/tests/ikev2/ocsp-local-cert/test.conf b/testing/tests/ikev2/ocsp-local-cert/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-local-cert/test.conf +++ b/testing/tests/ikev2/ocsp-local-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat index 768de938b..c41a668f0 100644 --- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat @@ -1,10 +1,10 @@ -moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES -carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate status is good::YES +moon:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.*strongswan.org::YES +carol::ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES +dave:: ipsec listocspcerts 2> /dev/null::altNames.*ocsp.strongswan.org::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES carol::cat /var/log/daemon.log::certificate status is good::YES -dave::cat /var/log/daemon.log::certificate status is good::YES -moon::ipsec status::ESTABLISHED.*carol::YES -moon::ipsec status::ESTABLISHED.*dave::YES -carol::ipsec status::ESTABLISHED::YES -dave::ipsec status::ESTABLISHED::YES +dave:: cat /var/log/daemon.log::certificate status is good::YES +moon:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*moon.strongswan.org.*CN=carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*moon.strongswan.org.*CN=dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::ESTABLISHED.*CN=carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::ESTABLISHED.*CN=dave@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf index 259997f5c..4d3aa1cc6 100755..100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf index 0763d1734..756d6ec51 100755..100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf index b0e8336e6..630117af9 100755..100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/pretest.dat b/testing/tests/ikev2/ocsp-multi-level/pretest.dat index f15265e32..86dd31e83 100644 --- a/testing/tests/ikev2/ocsp-multi-level/pretest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/ocsp-multi-level/test.conf b/testing/tests/ikev2/ocsp-multi-level/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/ocsp-multi-level/test.conf +++ b/testing/tests/ikev2/ocsp-multi-level/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index a0a045ce8..a2ce5ad93 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,7 +1,7 @@ -moon::cat /var/log/daemon.log::requesting ocsp status from::YES -moon::cat /var/log/daemon.log::ocsp response verification failed::YES -moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES -moon::ipsec status::rw.*ESTABLISHED::NO +moon:: cat /var/log/daemon.log::requesting ocsp status from::YES +moon:: cat /var/log/daemon.log::ocsp response verification failed::YES +moon:: cat /var/log/daemon.log::certificate status is not available::YES +moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -carol::ipsec status::home.*ESTABLISHED::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf index ba9779cb5..05e27f641 100755..100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/ipsec.conf @@ -2,7 +2,6 @@ config setup strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf index b79c056ab..e441e661f 100755..100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/ipsec.conf @@ -2,7 +2,6 @@ config setup strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index 74d22b90d..429061376 100755 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -5,7 +5,7 @@ cd /etc/openssl echo "Content-type: application/ocsp-response" echo "" -/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey winnetouKey.pem -rsigner winnetouCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout +cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey winnetouKey.pem -rsigner winnetouCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/test.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat index 2c3196103..97006c93e 100644 --- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat +++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat @@ -1,8 +1,8 @@ -moon::cat /var/log/daemon.log::requesting ocsp status from::YES -moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES -moon::cat /var/log/daemon.log::certificate was revoked on::YES -moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed +moon:: cat /var/log/daemon.log::requesting ocsp status from::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon:: cat /var/log/daemon.log::certificate was revoked on::YES +moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES -moon::ipsec status::rw.*ESTABLISHED::NO -carol::ipsec status::home.*ESTABLISHED::NO +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf index 0d7cf5928..94eb58621 100755..100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf index 119d14a42..e441e661f 100755..100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-revoked/test.conf b/testing/tests/ikev2/ocsp-revoked/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-revoked/test.conf +++ b/testing/tests/ikev2/ocsp-revoked/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat index 5bb322acc..0f852d7b1 100644 --- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat @@ -1,10 +1,10 @@ -moon::cat /var/log/daemon.log::requesting ocsp status::YES -moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES -moon::cat /var/log/daemon.log::ocsp response is valid::YES -moon::cat /var/log/daemon.log::certificate status is good::YES +moon:: cat /var/log/daemon.log::requesting ocsp status::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon:: cat /var/log/daemon.log::ocsp response is valid::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES carol::cat /var/log/daemon.log::requesting ocsp status::YES carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf index e2602f08a..05e27f641 100755..100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf index 119d14a42..e441e661f 100755..100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index e998b6ad0..59c356302 100755 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -5,7 +5,7 @@ cd /etc/openssl echo "Content-type: application/ocsp-response" echo "" -/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey strongswanKey.pem -rsigner strongswanCert.pem \ - -resp_no_certs -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout +cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey strongswanKey.pem -rsigner strongswanCert.pem \ + -resp_no_certs -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/tests/ikev2/ocsp-root-cert/test.conf b/testing/tests/ikev2/ocsp-root-cert/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-root-cert/test.conf +++ b/testing/tests/ikev2/ocsp-root-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat index f8bf0326a..7c7813cff 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat @@ -1,12 +1,12 @@ -carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::requesting ocsp status::YES -moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES -moon::cat /var/log/daemon.log::ocsp response is valid::YES -moon::cat /var/log/daemon.log::certificate status is good::YES +carol::ipsec listcainfos 2> /dev/null::ocspuris.*http://ocsp.strongswan.org::YES +moon:: cat /var/log/daemon.log::requesting ocsp status::YES +moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon:: cat /var/log/daemon.log::ocsp response is valid::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES carol::cat /var/log/daemon.log::requesting ocsp status::YES carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf index 4011a6c17..a1bc9b014 100755..100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf index ce653cf08..2cec8851c 100755..100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no conn %default keyexchange=ikev2 diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-signer-cert/test.conf b/testing/tests/ikev2/ocsp-signer-cert/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/test.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index 2e0f059c6..c31e05ef5 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,8 +1,8 @@ -moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES -moon::cat /var/log/daemon.log::libcurl http request failed::YES -moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES -moon::ipsec status::ESTABLISHED.*carol::YES -moon::ipsec status::ESTABLISHED.*dave::NO -carol::ipsec status::ESTABLISHED::YES -dave::ipsec status::ESTABLISHED::NO +moon:: cat /var/log/daemon.log::authentication of.*carol.*successful::YES +moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::certificate status is not available::YES +moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least SKIPPED::YES +moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf index bce685c53..27af8e7a8 100755..100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=ifuri - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf index 1ab63e84b..aa07085f4 100755..100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=ifuri - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf index 401e9b567..02db316d7 100755..100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=ifuri - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat index f15265e32..86dd31e83 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/test.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat index 777c32699..f50d5e88c 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat @@ -1,13 +1,12 @@ -moon::cat /var/log/daemon.log::libcurl http request failed::YES -moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES -moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES -moon::cat /var/log/daemon.log::ocsp response is valid::YES -moon::cat /var/log/daemon.log::certificate status is good::YES +moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES +moon:: cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES +moon:: cat /var/log/daemon.log::ocsp response is valid::YES +moon:: cat /var/log/daemon.log::certificate status is good::YES carol::cat /var/log/daemon.log::libcurl http request failed::YES carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES carol::cat /var/log/daemon.log::ocsp response is valid::YES carol::cat /var/log/daemon.log::certificate status is good::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES - +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf index ff312cc6b..816db6e1e 100755..100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf index 394d94160..f307c12d0 100755..100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index 92aa920aa..aa70321d5 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -6,9 +6,9 @@ echo "Content-type: application/ocsp-response" echo "" # simulate a delayed response -sleep 5 +sleep 5 -/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey.pem -rsigner ocspCert.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout +cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey ocspKey.pem -rsigner ocspCert.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/tests/ikev2/ocsp-timeouts-good/test.conf b/testing/tests/ikev2/ocsp-timeouts-good/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/test.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat index 1b281507b..7c0a9a5a4 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat @@ -1,7 +1,7 @@ -moon::cat /var/log/daemon.log::libcurl http request failed::YES -moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed::YES +moon:: cat /var/log/daemon.log::libcurl http request failed::YES +moon:: cat /var/log/daemon.log::certificate status is not available::YES +moon:: cat /var/log/daemon.log::constraint check failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES -moon::ipsec status::rw.*ESTABLISHED::NO -carol::ipsec status::home.*ESTABLISHED::NO +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf index ef24ea191..459da1467 100755..100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf index fe657b4a6..a464f017a 100755..100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/ipsec.conf @@ -1,9 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index 45c6ce7c5..6ba1be6b1 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -1,7 +1,7 @@ -moon::cat /var/log/daemon.log::requesting ocsp status from::YES -moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES -moon::cat /var/log/daemon.log::ocsp response verification failed::YES -moon::cat /var/log/daemon.log::certificate status is not available::YES -moon::cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES -moon::ipsec status::rw.*ESTABLISHED::NO -carol::ipsec status::home.*ESTABLISHED::NO +moon:: cat /var/log/daemon.log::requesting ocsp status from::YES +moon:: cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES +moon:: cat /var/log/daemon.log::ocsp response verification failed::YES +moon:: cat /var/log/daemon.log::certificate status is not available::YES +moon:: cat /var/log/daemon.log::constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf index ba9779cb5..05e27f641 100755..100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/ipsec.conf @@ -2,7 +2,6 @@ config setup strictcrlpolicy=yes - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf index b79c056ab..e441e661f 100755..100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/ipsec.conf @@ -2,7 +2,6 @@ config setup strictcrlpolicy=yes - plutostart=no ca strongswan-ca cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi index 20c4b2a22..72aa7a6c4 100755 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/winnetou/etc/openssl/ocsp/ocsp.cgi @@ -5,7 +5,7 @@ cd /etc/openssl echo "Content-type: application/ocsp-response" echo "" -/usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ - -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \ - -nmin 5 \ - -reqin /dev/stdin -respout /dev/stdout +cat | /usr/bin/openssl ocsp -index index.txt -CA strongswanCert.pem \ + -rkey ocspKey-self.pem -rsigner ocspCert-self.pem \ + -nmin 5 \ + -reqin /dev/stdin -respout /dev/stdout | cat diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf index 2b240d895..892f51cd9 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/test.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="moon carol winnetou" +VIRTHOSTS="moon carol winnetou" # Corresponding block diagram # DIAGRAM="m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/protoport-dual/evaltest.dat b/testing/tests/ikev2/protoport-dual/evaltest.dat index bd24b911c..cf45f3b52 100644 --- a/testing/tests/ikev2/protoport-dual/evaltest.dat +++ b/testing/tests/ikev2/protoport-dual/evaltest.dat @@ -1,9 +1,9 @@ -carol::ipsec statusall::home-icmp.*INSTALLED::YES -carol::ipsec statusall::home-ssh.*INSTALLED::YES -moon::ipsec statusall::rw-icmp.*INSTALLED::YES -moon::ipsec statusall::rw-ssh.*INSTALLED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf index 51971a13c..e15382bad 100755..100644 --- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf index 0d7e8db3f..bc131cd71 100755..100644 --- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-dual/posttest.dat b/testing/tests/ikev2/protoport-dual/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/protoport-dual/posttest.dat +++ b/testing/tests/ikev2/protoport-dual/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/protoport-dual/pretest.dat b/testing/tests/ikev2/protoport-dual/pretest.dat index d3d0061c3..efb2e5712 100644 --- a/testing/tests/ikev2/protoport-dual/pretest.dat +++ b/testing/tests/ikev2/protoport-dual/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/protoport-dual/test.conf b/testing/tests/ikev2/protoport-dual/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/protoport-dual/test.conf +++ b/testing/tests/ikev2/protoport-dual/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/protoport-route/evaltest.dat b/testing/tests/ikev2/protoport-route/evaltest.dat index 78d062918..75c547995 100644 --- a/testing/tests/ikev2/protoport-route/evaltest.dat +++ b/testing/tests/ikev2/protoport-route/evaltest.dat @@ -1,10 +1,10 @@ -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req::YES carol::ssh PH_IP_ALICE hostname::alice::YES carol::cat /var/log/daemon.log::creating acquire job::YES -carol::ipsec statusall::home-icmp.*INSTALLED::YES -carol::ipsec statusall::home-ssh.*INSTALLED::YES -moon::ipsec statusall::rw-icmp.*INSTALLED::YES -moon::ipsec statusall::rw-ssh.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home-icmp.*INSTALLED::YES +carol::ipsec status 2> /dev/null::home-ssh.*INSTALLED::YES +moon:: ipsec status 2> /dev/null::rw-icmp.*INSTALLED::YES +moon:: ipsec status 2> /dev/null::rw-ssh.*INSTALLED::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf index d76a6ee17..f4d112daf 100755..100644 --- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf index 0d7e8db3f..bc131cd71 100755..100644 --- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-route/posttest.dat b/testing/tests/ikev2/protoport-route/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/protoport-route/posttest.dat +++ b/testing/tests/ikev2/protoport-route/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/protoport-route/pretest.dat b/testing/tests/ikev2/protoport-route/pretest.dat index 0aded0f4d..5a15574d6 100644 --- a/testing/tests/ikev2/protoport-route/pretest.dat +++ b/testing/tests/ikev2/protoport-route/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/protoport-route/test.conf b/testing/tests/ikev2/protoport-route/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/protoport-route/test.conf +++ b/testing/tests/ikev2/protoport-route/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-early/evaltest.dat b/testing/tests/ikev2/reauth-early/evaltest.dat index b4cbe2f41..dbc6f8d97 100644 --- a/testing/tests/ikev2/reauth-early/evaltest.dat +++ b/testing/tests/ikev2/reauth-early/evaltest.dat @@ -1,6 +1,6 @@ -moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES -carol::ipsec statusall::home\[2\].*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 30s, scheduling reauthentication in 25s::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf index 311dc3dc5..2277bcd59 100755..100644 --- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf index 64a7aef6d..fb09e74b3 100755..100644 --- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=30s diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-early/posttest.dat b/testing/tests/ikev2/reauth-early/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/reauth-early/posttest.dat +++ b/testing/tests/ikev2/reauth-early/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-early/pretest.dat b/testing/tests/ikev2/reauth-early/pretest.dat index 7ed2423be..153ea7c43 100644 --- a/testing/tests/ikev2/reauth-early/pretest.dat +++ b/testing/tests/ikev2/reauth-early/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/reauth-early/test.conf b/testing/tests/ikev2/reauth-early/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/reauth-early/test.conf +++ b/testing/tests/ikev2/reauth-early/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/reauth-late/evaltest.dat b/testing/tests/ikev2/reauth-late/evaltest.dat index c0893df65..205a4d9e7 100644 --- a/testing/tests/ikev2/reauth-late/evaltest.dat +++ b/testing/tests/ikev2/reauth-late/evaltest.dat @@ -1,7 +1,7 @@ -moon::ipsec statusall::rw\[2\].*ESTABLISHED::YES -carol::ipsec statusall::home\[2\].*ESTABLISHED::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home\[2]: ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::cat /var/log/daemon.log::scheduling reauthentication in 2[0-5]s::YES carol::cat /var/log/daemon.log::received AUTH_LIFETIME of 360[01]s, reauthentication already scheduled in 2[0-5]s::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf index 32a43efac..9de0dda86 100755..100644 --- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=30s diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf index cb5e86a66..225e2aab1 100755..100644 --- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=3601 diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-late/posttest.dat b/testing/tests/ikev2/reauth-late/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/reauth-late/posttest.dat +++ b/testing/tests/ikev2/reauth-late/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/reauth-late/pretest.dat b/testing/tests/ikev2/reauth-late/pretest.dat index 7ed2423be..153ea7c43 100644 --- a/testing/tests/ikev2/reauth-late/pretest.dat +++ b/testing/tests/ikev2/reauth-late/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/reauth-late/test.conf b/testing/tests/ikev2/reauth-late/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/reauth-late/test.conf +++ b/testing/tests/ikev2/reauth-late/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat index 06a0f8cda..ba661975b 100644 --- a/testing/tests/ikev2/rw-cert/evaltest.dat +++ b/testing/tests/ikev2/rw-cert/evaltest.dat @@ -1,8 +1,13 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf index bcdb8641b..dd2ceea60 100755..100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/ipsec.conf @@ -1,15 +1,13 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn home left=PH_IP_CAROL @@ -19,5 +17,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index e070f9a27..102801a92 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf index ea8bc92a7..4c6e11f16 100755..100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/ipsec.conf @@ -1,15 +1,13 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn home left=PH_IP_DAVE @@ -19,5 +17,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index e070f9a27..102801a92 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf index 274521386..e67d9af9b 100755..100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/ipsec.conf @@ -1,15 +1,13 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m keylife=20m rekeymargin=3m keyingtries=1 + keyexchange=ikev2 conn rw left=PH_IP_MOON @@ -18,5 +16,4 @@ conn rw leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any - keyexchange=ikev2 auto=add diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index e070f9a27..102801a92 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-cert/posttest.dat b/testing/tests/ikev2/rw-cert/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-cert/posttest.dat +++ b/testing/tests/ikev2/rw-cert/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-cert/pretest.dat b/testing/tests/ikev2/rw-cert/pretest.dat index 42e9d7c24..8bbea1412 100644 --- a/testing/tests/ikev2/rw-cert/pretest.dat +++ b/testing/tests/ikev2/rw-cert/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-cert/test.conf b/testing/tests/ikev2/rw-cert/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-cert/test.conf +++ b/testing/tests/ikev2/rw-cert/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt new file mode 100644 index 000000000..0135f078c --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b> +resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>. +</p> +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload +by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway +<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b> +and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat new file mode 100644 index 000000000..49183fb42 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat @@ -0,0 +1,24 @@ +carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..082b18a7f --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftsourceip=%config + leftid=carol.strongswan.org + leftsigkey="dns:0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE=" + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..825af9dd0 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..a68f981d1 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftsourceip=%config + leftid=dave.strongswan.org + leftsigkey="dns:0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U=" + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..825af9dd0 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..74ddc6e01 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=moon.strongswan.org + leftauth=pubkey + leftsigkey=moonPub.der + leftfirewall=yes + right=%any + rightauth=pubkey + rightsourceip=10.3.0.0/24 + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der Binary files differnew file mode 100644 index 000000000..71571044c --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..644ac3d6a --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat new file mode 100644 index 000000000..3d55e09f9 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon:rm /etc/resolv.conf +carol:rm /etc/resolv.conf +dave:rm /etc/resolv.conf +moon:rm /etc/ipsec.d/dnssec.key +carol:rm /etc/ipsec.d/dnssec.key +dave:rm /etc/ipse.cd/dnssec.key diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat new file mode 100644 index 000000000..40eaede87 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat index 661e6cfe7..d59eef513 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/evaltest.dat @@ -1,11 +1,13 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::received EAP identity.*carol::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf index 22bba57a7..f1f761186 100755..100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf index ccf446f79..2f8bf5d9e 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf index 16171feb3..12431486c 100755..100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf index ccf446f79..2f8bf5d9e 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat index ed5498bfe..388339fb8 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf index 2bd21499b..e093d43d8 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat index 3064f02a6..0ea4e21ab 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/evaltest.dat @@ -1,10 +1,12 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap-aka.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap-aka.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap-aka.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf index ba9294f6a..b4825fb82 100755..100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index d8c77f5b1..69f9845af 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf index 3a1fd98d3..cd2e42d9f 100755..100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index d8c77f5b1..69f9845af 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat index ed5498bfe..388339fb8 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-aka-rsa/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf index 2bd21499b..e093d43d8 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-dynamic/description.txt b/testing/tests/ikev2/rw-eap-dynamic/description.txt new file mode 100644 index 000000000..2bd9aaaac --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/description.txt @@ -0,0 +1,5 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +<b>carol</b> uses the default <i>EAP-MD5</i> password-based client authentication +method as proposed by EAP server <b>moon</b> whereas <b>dave</b> requests an <i>EAP-TLS</i> +certificate-based client authentication by sending this proposal in an <i>EAP-NAK</i> message +back to the EAP server. diff --git a/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat new file mode 100644 index 000000000..6a20b8e8c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/evaltest.dat @@ -0,0 +1,23 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::requesting EAP_TLS authentication, sending EAP_NAK::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TLS succeeded, MSK established::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..b8b628758 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap-md5 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0fd7117dd --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..981dee3cd --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftauth=eap-tls + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..0979b9afd --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5f9eedba1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..191989e7b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + rightid=*@strongswan.org + rightauth=eap-dynamic + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..c991683b8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a0682268d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-md5 eap-tls eap-dynamic updown + + plugins { + eap-dynamic { + prefer_user = yes + preferred = md5, tls + } + } +} diff --git a/testing/tests/ikev2/rw-eap-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat new file mode 100644 index 000000000..b757d8b15 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/posttest.dat @@ -0,0 +1,6 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat new file mode 100644 index 000000000..17f1b5f2b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-dynamic/test.conf b/testing/tests/ikev2/rw-eap-dynamic/test.conf new file mode 100644 index 000000000..a5525e6aa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-dynamic/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt new file mode 100644 index 000000000..46ffc0611 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway +<b>moon</b>. At the outset the gateway authenticates itself to the client by +sending an IKEv2 <b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate +against the gateway <b>moon</b>. +<p/> +The roadwarriors <b>carol</b> and <b>dave</b> request a virtual IP which is +assigned by the RADIUS server <b>alice</b> using the <b>Framed-IP-Address</b> +RADIUS attribute. diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat new file mode 100644 index 000000000..1460ec8f9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES +moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES +dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES +moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES +dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES +dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf index 623f42904..623f42904 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/eap.conf +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf index 783587b55..783587b55 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default index 2de32a6f2..a67a5dcb4 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default @@ -40,4 +40,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..ba92f0080 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,4 @@ +carol Cleartext-Password := "Ar3etTnp" + Framed-IP-Address = 10.3.0.1 +dave Cleartext-Password := "W7R0g3do" + Framed-IP-Address = 10.3.0.2 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..ed908db4d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftauth=eap + leftfirewall=yes + leftsourceip=%config + eap_identity=carol + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23d79cf2e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b1b418060 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..97aa8bbff --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftauth=eap + leftfirewall=yes + leftsourceip=%config + eap_identity=dave + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..02e0c9963 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b1b418060 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a3299393a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftsubnet=10.1.0.0/16 + leftfirewall=yes + rightsendcert=never + rightauth=eap-radius + rightsourceip=%radius + eap_identity=%any + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4297a3056 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + plugins { + eap-radius { + class_group = yes + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat new file mode 100644 index 000000000..670d2e72f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat new file mode 100644 index 000000000..698a719f7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::radiusd +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf new file mode 100644 index 000000000..5dfb41723 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou moon" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt new file mode 100644 index 000000000..6860700db --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway +<b>moon</b>. At the outset the gateway authenticates itself to the client by +sending an IKEv2 <b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate +against the gateway <b>moon</b>. The user credentials of <b>carol</b> +and <b>dave</b> are kept both on the local clients and the RADIUS server <b>alice</b>. +<b>carol</b> possesses the RADIUS class attribute <b>Research</b> and therefore obtains +access to the <b>research</b> subnet behind gateway <b>moon</b> whereas <b>dave</b> +belongs to the class <b>Accounting</b> and has access to the <b>acccess</b> subnet. diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat new file mode 100644 index 000000000..aa6d4291b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES +moon ::ipsec status 2> /dev/null::research.*ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES +carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::research.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::NO +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES +dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES +moon ::ipsec status 2> /dev/null::accounting.*ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES +dave ::ipsec status 2> /dev/null::alice.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::accounting.*INSTALLED, TUNNEL::YES +dave ::ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::NO +dave ::ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf index 623f42904..623f42904 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/eap.conf +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf index 783587b55..783587b55 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default index 2de32a6f2..a67a5dcb4 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/sites-available/default @@ -40,4 +40,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..62d459115 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,4 @@ +carol Cleartext-Password := "Ar3etTnp" + Class = "Research" +dave Cleartext-Password := "W7R0g3do" + Class = "Accounting" diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..53e2be638 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightsubnet=10.1.0.10/32 + also=home + auto=add + +conn venus + rightsubnet=10.1.0.20/32 + also=home + auto=add + +conn home + left=%any + leftauth=eap + leftfirewall=yes + eap_identity=carol + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23d79cf2e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b1b418060 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..9428f323a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightsubnet=10.1.0.10/32 + also=home + auto=add + +conn venus + rightsubnet=10.1.0.20/32 + also=home + auto=add + +conn home + left=%any + leftauth=eap + leftfirewall=yes + eap_identity=dave + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..02e0c9963 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b1b418060 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..9dcbcca75 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn research + rightgroups=Research + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn accounting + rightgroups=Accounting + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + rightsendcert=never + rightauth=eap-radius + eap_identity=%any + right=%any diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4297a3056 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + plugins { + eap-radius { + class_group = yes + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat new file mode 100644 index 000000000..670d2e72f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat new file mode 100644 index 000000000..a2704e833 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::radiusd +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up alice +dave::ipsec up venus +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf new file mode 100644 index 000000000..5dfb41723 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-class-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou moon" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat index 3f828141c..42d2c319e 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/evaltest.dat @@ -2,11 +2,13 @@ carol::cat /var/log/daemon.log::configured EAP-Identity carol::YES carol::cat /var/log/daemon.log::added EAP secret for carol moon.strongswan.org::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES -moon::cat /var/log/daemon.log::received EAP identity.*carol::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'PH_IP_CAROL' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf index 7859ee9cc..176c1af2e 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf index fe067d344..b1b418060 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf index c132b9ab8..ea4185355 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf index fe067d344..b1b418060 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat index 9c301f484..180537f5f 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf index 2bd21499b..e093d43d8 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat index 2ee440cdb..8f813395a 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/evaltest.dat @@ -1,11 +1,13 @@ carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES -moon::cat /var/log/daemon.log::received EAP identity .*carol::YES +moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf index 623f42904..623f42904 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/eap.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf index 783587b55..783587b55 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..a67a5dcb4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,42 @@ +authorize { + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users index 247b918e3..247b918e3 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf index 5f779d1af..881971e80 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf index fe067d344..b1b418060 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf index 11ff84400..8ce1721f5 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf index 2a18af887..aba7eefdf 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat index 920d6a20d..181949fb5 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat index 280d62e3c..9adc43d3e 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::radiusd moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf index e0d77b583..eb1e15dd2 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/test.conf @@ -1,26 +1,26 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat index 5e8dce9cf..a8019b3e7 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/evaltest.dat @@ -1,11 +1,11 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11..23cba8d11 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default index 802fcfd8d..dd0825858 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/sites-available/default @@ -41,4 +41,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users index 247b918e3..247b918e3 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf index ba9294f6a..b4825fb82 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf index 57bd6cceb..0fd7117dd 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf index 4a885babc..efdf6f7ed 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf index f21745bcd..f634316f8 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat index 920d6a20d..181949fb5 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat index 280d62e3c..9adc43d3e 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-radius/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::radiusd moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-radius/test.conf b/testing/tests/ikev2/rw-eap-md5-radius/test.conf index e0d77b583..eb1e15dd2 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/test.conf @@ -1,26 +1,26 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat index fadcdc635..84f41fd93 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat @@ -1,9 +1,11 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf index ba9294f6a..b4825fb82 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf index 57bd6cceb..0fd7117dd 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf index 28d52b9eb..5d799a870 100755..100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf index 57bd6cceb..0fd7117dd 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat index ed5498bfe..388339fb8 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf index 2bd21499b..e093d43d8 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat index 5b632bfe8..010f48315 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/evaltest.dat @@ -1,11 +1,13 @@ carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon::cat /var/log/daemon.log::received EAP identity.*carol::YES -moon::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol::YES +moon:: cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*\[PH_IP_CAROL]::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf index c1497ca0e..59a0d66c3 100755..100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf index fd717317c..66dee832b 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf index a4a45f06c..086a734e3 100755..100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf index fd717317c..66dee832b 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat index ed5498bfe..388339fb8 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf index 2bd21499b..e093d43d8 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat index 0908e1c97..4ed5257b1 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/evaltest.dat @@ -3,17 +3,21 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES -dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*CN=moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*CN=moon.strongswan.org.*dave@stronswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*CN=moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*CN=moon.strongswan.org::NO +moon:: ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED::NO +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf index 2f8b9dfda..dd1b89302 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -17,6 +16,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf index fd5d3f5f4..e9958df28 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf index 3a29329d5..a46071a3a 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -17,6 +16,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf index fd5d3f5f4..e9958df28 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf index 129486c05..d12eafbb2 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf index f5024111c..5f00ef57f 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown multiple_authentication=no plugins { eap-peap { diff --git a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat index 369596177..17f1b5f2b 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-md5/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-peap-md5/test.conf b/testing/tests/ikev2/rw-eap-peap-md5/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-eap-peap-md5/test.conf +++ b/testing/tests/ikev2/rw-eap-peap-md5/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat index 8743b9643..fc75e1c9a 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/evaltest.dat @@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES -dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -dave::cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon::cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MSCHAPV2 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_PEAP phase2 authentication of 'carol@strongswan.org' with EAP_MSCHAPV2 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@stronswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf index 2f8b9dfda..dd1b89302 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -17,6 +16,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf index 2cbfb2484..613ceee06 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf index 3a29329d5..a46071a3a 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -17,6 +16,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf index 2cbfb2484..613ceee06 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf index 129486c05..d12eafbb2 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf index 19d12447f..58e8df0da 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown multiple_authentication=no plugins { eap-peap { diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat index 369596177..17f1b5f2b 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf +++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat index 39a24f15e..95c29b7f5 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/evaltest.dat @@ -3,19 +3,17 @@ carol::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_PEAP succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES -dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_PEAP authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_PEAP failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf index df50901d5..11d3e2acd 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/eap.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/eap.conf @@ -1,7 +1,7 @@ eap { md5 { } - default_eap_type = peap + default_eap_type = peap tls { private_key_file = /etc/raddb/certs/aaaKey.pem certificate_file = /etc/raddb/certs/aaaCert.pem diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11..23cba8d11 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default index 802fcfd8d..dd0825858 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/default @@ -41,4 +41,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel index e088fae14..e088fae14 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users index 50ccf3e76..50ccf3e76 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf index b2eef5785..944546ff8 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf index 2c06d26a6..0e20d1c68 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf index 3c8ea5c58..b1a22e78a 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf index 2c06d26a6..0e20d1c68 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf index fc8f84638..98e2525ba 100755..100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf index 4d2d3058d..38d78e7a0 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown multiple_authentication=no plugins { eap-radius { diff --git a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat index dbe56013a..670d2e72f 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat index cbe1ae229..3e7fc0bb1 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-peap-radius/pretest.dat @@ -1,7 +1,7 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-peap-radius/test.conf b/testing/tests/ikev2/rw-eap-peap-radius/test.conf index e6a786a94..20d586309 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-peap-radius/test.conf @@ -1,26 +1,26 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol winnetou dave moon" +VIRTHOSTS="alice carol winnetou dave moon" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat index 4305a1400..f1a68bc19 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/evaltest.dat @@ -1,12 +1,12 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::received EAP identity .*228060123456001::YES +moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files new file mode 100644 index 000000000..10c26aa15 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/modules/sim_files @@ -0,0 +1,3 @@ +sim_files { + simtriplets = "/etc/freeradius/triplets.dat" +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..783587b55 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default index 92896b11e..893529324 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/sites-available/default @@ -40,4 +40,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat index c167ba940..c167ba940 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/triplets.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/triplets.dat diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users index e69de29bb..e69de29bb 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index a2020424e..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,5 +0,0 @@ -eap { - default_eap_type = sim - sim { - } -} diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index d77b818fe..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,123 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf - sim_files { - simtriplets = "/etc/raddb/triplets.dat" - } -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf index d3a99fe41..97ce965a0 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -12,7 +11,6 @@ conn %default conn home left=PH_IP_CAROL - leftnexthop=%direct leftid=carol@strongswan.org leftfirewall=yes leftauth=eap diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf index 7b4ab49e4..8e872ddae 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf index a86bb3d73..8216627ba 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf index 2a18af887..aba7eefdf 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat index 920d6a20d..181949fb5 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat index 0da980c07..b9117af36 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/pretest.dat @@ -1,7 +1,7 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::cat /etc/raddb/triplets.dat -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::cat /etc/freeradius/triplets.dat +alice::radiusd moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf index e0d77b583..eb1e15dd2 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/test.conf @@ -1,26 +1,26 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat index 852d424af..f434ddfc6 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/evaltest.dat @@ -1,15 +1,15 @@ carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files new file mode 100644 index 000000000..10c26aa15 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/modules/sim_files @@ -0,0 +1,3 @@ +sim_files { + simtriplets = "/etc/freeradius/triplets.dat" +} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11..23cba8d11 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default index 126d61d05..fbdf75f4c 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/sites-available/default @@ -41,4 +41,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat index fd0eb19b9..3e9a644eb 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/triplets.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/triplets.dat @@ -4,4 +4,3 @@ carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB - diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users index e69de29bb..e69de29bb 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index a2020424e..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,5 +0,0 @@ -eap { - default_eap_type = sim - sim { - } -} diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index d77b818fe..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,123 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf - sim_files { - simtriplets = "/etc/raddb/triplets.dat" - } -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf index 11b9f0d71..0e6090c40 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -17,5 +16,6 @@ conn home leftauth=eap right=PH_IP_MOON rightid=@moon.strongswan.org + rightauth=any rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf index e468cd4f9..691bec865 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf index dca65c09f..0507a6b6c 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf index e468cd4f9..691bec865 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf index e3f4694bd..b80a47bf1 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf index f21745bcd..f634316f8 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat index dbe56013a..670d2e72f 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat index 5a51733dc..0b3e901c2 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat @@ -1,11 +1,11 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* -alice::cat /etc/raddb/triplets.dat -alice::/etc/init.d/radiusd start +alice::cat /etc/freeradius/triplets.dat +alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf index bb6b68687..29bfaa78c 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/test.conf @@ -1,26 +1,26 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat index b4d66adc6..21cfe429a 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/evaltest.dat @@ -1,15 +1,15 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_SIM failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..7d8023951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = sim + sim { + } +} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11..23cba8d11 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default index dfceb037d..91425f812 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/sites-available/default @@ -59,4 +59,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat index fd0eb19b9..3e9a644eb 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/triplets.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/triplets.dat @@ -4,4 +4,3 @@ carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB dave@strongswan.org,33000000000000000000000000000000,33112233,335566778899AABB dave@strongswan.org,34000000000000000000000000000000,34112233,345566778899AABB dave@strongswan.org,35000000000000000000000000000000,35112233,355566778899AABB - diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users index e69de29bb..e69de29bb 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index a2020424e..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,5 +0,0 @@ -eap { - default_eap_type = sim - sim { - } -} diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index d77b818fe..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,123 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf - sim_files { - simtriplets = "/etc/raddb/triplets.dat" - } -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf index 4f0d40b3e..951008d2b 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -9,13 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_CAROL leftid=carol@strongswan.org + leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org + rightauth=pubkey rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf index e468cd4f9..691bec865 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf index 511eb6172..a9d04ebfa 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -9,13 +8,14 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=eap conn home left=PH_IP_DAVE leftid=dave@strongswan.org + leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org + rightauth=pubkey rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf index e468cd4f9..691bec865 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf index 825994278..a246bd172 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -13,13 +11,14 @@ conn %default conn rw-eap authby=rsasig - eap=radius left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftid=@moon.strongswan.org + leftauth=pubkey leftcert=moonCert.pem leftfirewall=yes rightid=*@strongswan.org + rightauth=eap-radius rightsendcert=never right=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf index f21745bcd..f634316f8 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat index dbe56013a..670d2e72f 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat index b3fd4cbf1..c17bec0f7 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-radius/pretest.dat @@ -1,11 +1,11 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::cat /etc/raddb/clients.conf -alice::cat /etc/raddb/eap.conf -alice::cat /etc/raddb/proxy.conf -alice::cat /etc/raddb/triplets.dat -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/freeradius/clients.conf +alice::cat /etc/freeradius/eap.conf +alice::cat /etc/freeradius/proxy.conf +alice::cat /etc/freeradius/triplets.dat +alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-radius/test.conf b/testing/tests/ikev2/rw-eap-sim-radius/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat index 53c7e71ce..ab27b4510 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/evaltest.dat @@ -1,10 +1,10 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap-sim.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap-sim.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap-sim.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf index ba9294f6a..b4825fb82 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf index 0add0f360..8caa11c97 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf index ea62749be..ab49aa0f3 100755..100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf index 527cb2b37..6c8911e5a 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat index 23c7a62b2..ae464b51c 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat +++ b/testing/tests/ikev2/rw-eap-sim-rsa/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::cat /etc/ipsec.d/triplets.dat carol::cat /etc/ipsec.d/triplets.dat moon::ipsec start diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf index 2bd21499b..e093d43d8 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/test.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat index f4d534051..314769b3e 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-fragments/evaltest.dat @@ -1,9 +1,9 @@ carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=moon.d.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=strongSwan Project, CN=carol@d.strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf index 889a47d80..b7b27b720 100755..100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default @@ -18,6 +17,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=strongSwan Project, CN=moon.d.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf index dc0bcdff5..535b37210 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no plugins { diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf index 9f979e17b..ee4bfd27d 100755..100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no charondebug="tls 2" conn %default diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf index dc0bcdff5..535b37210 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no plugins { diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat index 085b19509..e8156ea70 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat +++ b/testing/tests/ikev2/rw-eap-tls-fragments/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/cacerts/* moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat index 35d35dc86..3d680ab78 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-fragments/pretest.dat @@ -1,7 +1,7 @@ moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem carol::rm /etc/ipsec.d/cacerts/strongswanCert.pem -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf index 2bd21499b..e093d43d8 100644 --- a/testing/tests/ikev2/rw-eap-tls-fragments/test.conf +++ b/testing/tests/ikev2/rw-eap-tls-fragments/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat index 1e9bdb2af..a436131bf 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat @@ -1,9 +1,9 @@ carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf index 3aeab002f..4272d98be 100755..100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -17,6 +16,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index 4e47e632c..2eb2adc78 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf index 430211020..b9a58e902 100755..100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 4e47e632c..2eb2adc78 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat index 94a400606..046d4cfdc 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/posttest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/posttest.dat @@ -1,4 +1,4 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat index ed5498bfe..388339fb8 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-only/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-only/test.conf b/testing/tests/ikev2/rw-eap-tls-only/test.conf index 9cd583b16..4a5fc470f 100644 --- a/testing/tests/ikev2/rw-eap-tls-only/test.conf +++ b/testing/tests/ikev2/rw-eap-tls-only/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat index f0a674063..7584e14dc 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/evaltest.dat @@ -1,11 +1,9 @@ carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with RSA signature successful::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - - diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf index 92f96ad66..92f96ad66 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/eap.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11..23cba8d11 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default index 990184919..18ebf9e9d 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/sites-available/default @@ -39,4 +39,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users index 247b918e3..247b918e3 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf index 4f4c8abcf..fc6f1e633 100755..100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf index 4e47e632c..2eb2adc78 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf index be907f839..deadcff6d 100755..100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf index ab71e5908..5bf9dc03b 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown multiple_authentication=no plugins { eap-radius { diff --git a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat index 920d6a20d..181949fb5 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop carol::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat index 280d62e3c..9adc43d3e 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-tls-radius/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::radiusd moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tls-radius/test.conf b/testing/tests/ikev2/rw-eap-tls-radius/test.conf index e0d77b583..eb1e15dd2 100644 --- a/testing/tests/ikev2/rw-eap-tls-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-tls-radius/test.conf @@ -1,26 +1,26 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice carol moon" # Corresponding block diagram # DIAGRAM="a-m-c.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat index 9586fe558..d22dd18db 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/evaltest.dat @@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES -dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf index 967598643..8ff3c2ab6 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default @@ -18,6 +17,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf index 96620d0c2..32b4d2eb1 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf index ad1255212..367c0b527 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default @@ -18,6 +17,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf index 96620d0c2..32b4d2eb1 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf index d37848bac..cd93a48e7 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no charondebug="tls 2" conn %default diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf index a68a74712..9401ffb00 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no plugins { eap-ttls { diff --git a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat index 369596177..589d478e7 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-only/pretest.dat @@ -1,10 +1,10 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start -carol::sleep 1 +carol::sleep 2 carol::ipsec up home dave::ipsec up home -dave::sleep 1 +dave::sleep 2 diff --git a/testing/tests/ikev2/rw-eap-ttls-only/test.conf b/testing/tests/ikev2/rw-eap-ttls-only/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-eap-ttls-only/test.conf +++ b/testing/tests/ikev2/rw-eap-ttls-only/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat index 9586fe558..d22dd18db 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/evaltest.dat @@ -3,17 +3,17 @@ carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES -dave::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES -dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon::cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::allow mutual EAP-only authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::EAP_TTLS phase2 authentication of 'carol@strongswan.org' with EAP_MD5 successful::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@stronswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf index 967598643..8ff3c2ab6 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default @@ -18,6 +17,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf index 378bdc540..8de5ec68f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf index ad1255212..367c0b527 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default @@ -18,6 +17,7 @@ conn home leftfirewall=yes right=PH_IP_MOON rightid="C=CH, O=Linux strongSwan, CN=moon.strongswan.org" + rightauth=any rightsubnet=10.1.0.0/16 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf index 378bdc540..8de5ec68f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf index d37848bac..cd93a48e7 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no charondebug="tls 2" conn %default diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf index b065251ea..c730346a6 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no plugins { eap-ttls { diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat index 369596177..17f1b5f2b 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf +++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat index 2c0f65159..a471a2cfa 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/evaltest.dat @@ -3,18 +3,18 @@ carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES -dave::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::NO -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*dave@strongswan.org::NO +carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED::NO +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf index c91cd40fb..c91cd40fb 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/eap.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf index 23cba8d11..23cba8d11 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/proxy.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default index 802fcfd8d..dd0825858 100644 --- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/alice/etc/raddb/sites-available/default +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default @@ -41,4 +41,3 @@ pre-proxy { post-proxy { eap } - diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel index e088fae14..e088fae14 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users index 50ccf3e76..50ccf3e76 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf index 97a2e02c9..5b1ac90a3 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf index 96620d0c2..32b4d2eb1 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf index d388060be..8aa168745 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no charondebug="tls 2" conn %default diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf index 96620d0c2..32b4d2eb1 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown multiple_authentication=no } diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf index fc8f84638..98e2525ba 100755..100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf index ab71e5908..5bf9dc03b 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown multiple_authentication=no plugins { eap-radius { diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat index dbe56013a..670d2e72f 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/posttest.dat @@ -1,7 +1,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -alice::/etc/init.d/radiusd stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat index cbe1ae229..3e7fc0bb1 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat +++ b/testing/tests/ikev2/rw-eap-ttls-radius/pretest.dat @@ -1,7 +1,7 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::radiusd moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf index e6a786a94..20d586309 100644 --- a/testing/tests/ikev2/rw-eap-ttls-radius/test.conf +++ b/testing/tests/ikev2/rw-eap-ttls-radius/test.conf @@ -1,26 +1,26 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol winnetou dave moon" +VIRTHOSTS="alice carol winnetou dave moon" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat index fe2a8d063..7a9a70939 100644 --- a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat @@ -1,14 +1,18 @@ -moon::cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES -moon::cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES -dave::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES +moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES +moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf index 77046eb7d..acf5789d8 100755..100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf index d9349846c..b294b7c22 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf index febaf9be2..1e1439560 100755..100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf index d9349846c..b294b7c22 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf index cbc60000a..cd626a720 100755..100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no ca strongswan cacert=strongswanCert.pem diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf index d9349846c..b294b7c22 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-hash-and-url/posttest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat index 42e9d7c24..8bbea1412 100644 --- a/testing/tests/ikev2/rw-hash-and-url/pretest.dat +++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-hash-and-url/test.conf +++ b/testing/tests/ikev2/rw-hash-and-url/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-initiator-only/description.txt b/testing/tests/ikev2/rw-initiator-only/description.txt new file mode 100644 index 000000000..478004162 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/description.txt @@ -0,0 +1,10 @@ +The roadwarrior <b>dave</b> tries to set up a connection to roadwarrior <b>carol</b> +but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = yes</b> +she ignores the repeated IKE requests sent by <b>dave</b>. +<p/> +After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a +connection to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. diff --git a/testing/tests/ikev2/rw-initiator-only/evaltest.dat b/testing/tests/ikev2/rw-initiator-only/evaltest.dat new file mode 100644 index 000000000..80fd7c5be --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/evaltest.dat @@ -0,0 +1,8 @@ +dave::cat /var/log/daemon.log::establishing IKE_SA failed, peer not responding::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..dd2ceea60 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dc900c4f2 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf @@ -0,0 +1,7 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + initiator_only = yes +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..b417977c9 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn peer + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_CAROL + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..9251921ff --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown + + retransmit_timeout = 2 + retransmit_base = 1.5 + retransmit_tries = 3 +} diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..acc2ef758 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekey=no + reauth=no + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..7f31b170b --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-initiator-only/posttest.dat b/testing/tests/ikev2/rw-initiator-only/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-initiator-only/pretest.dat b/testing/tests/ikev2/rw-initiator-only/pretest.dat new file mode 100644 index 000000000..fc7173430 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up peer +carol::ipsec up home diff --git a/testing/tests/ikev2/rw-initiator-only/test.conf b/testing/tests/ikev2/rw-initiator-only/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/ikev2/rw-initiator-only/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt index 4c35081b1..3012fc656 100644 --- a/testing/tests/ikev2/rw-mark-in-out/description.txt +++ b/testing/tests/ikev2/rw-mark-in-out/description.txt @@ -1,7 +1,7 @@ The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the router <b>moon</b> set up tunnels to gateway <b>sun</b>. Since both roadwarriors possess the same 10.1.0.0/25 subnet, -gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 -and 10.3.0.20, respectively. +gateway <b>sun</b> uses Source NAT after ESP decryption to map these subnets to PH_IP_CAROL10 +and PH_IP_DAVE10, respectively. <p/> In order to differentiate between the tunnels to <b>alice</b> and <b>venus</b>, respectively, <b>XFRM marks</b> are defined for both the inbound and outbound IPsec SAs and policies using diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat index c248a508a..26b26204c 100644 --- a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat +++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat @@ -1,11 +1,11 @@ -alice::ipsec statusall::home.*INSTALLED::YES -venus::ipsec statusall::home.*INSTALLED::YES -sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES -sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES -sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES -sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +alice::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +venus::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::alice.*ESTABLISHED.*sun.strongswan.org.*alice@strongswan.org::YES +sun:: ipsec status 2> /dev/null::venus.*ESTABLISHED.*sun.strongswan.org.*venus.strongswan.org::YES +sun:: ipsec statusall 2> /dev/null::alice.*10.2.0.0/16 === 10.1.0.0/25::YES +sun:: ipsec statusall 2> /dev/null::venus.*10.2.0.0/16 === 10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables deleted file mode 100755 index 5594bbf52..000000000 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables +++ /dev/null @@ -1,77 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf index dd0240b07..726aa616b 100755..100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf index 5fa211c2a..4b549cbd5 100755..100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no charondebug="knl 2" conn %default diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown index 0d22e684d..421335ffb 100755 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown @@ -73,8 +73,12 @@ # just the host, this will be 255.255.255.255. # # PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. # # PLUTO_MY_PROTOCOL # is the IP protocol that will be transported. @@ -128,9 +132,15 @@ # contains the remote UDP port in the case of ESP_IN_UDP # encapsulation # +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# # define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin:/usr/local/sbin" export PATH # uncomment to log VPN connections diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables deleted file mode 100755 index 5594bbf52..000000000 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables +++ /dev/null @@ -1,77 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow ESP - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MOBIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf index 4af93df8d..cb9b27ed7 100755..100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat index fae79271b..283099acb 100644 --- a/testing/tests/ikev2/rw-mark-in-out/posttest.dat +++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat @@ -2,9 +2,9 @@ sun::iptables -t mangle -v -n -L PREROUTING sun::ipsec stop alice::ipsec stop venus::ipsec stop -alice::/etc/init.d/iptables stop 2> /dev/null -venus::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +alice::iptables-restore < /etc/iptables.flush +venus::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush sun::ip route del 10.1.0.0/16 via PH_IP_MOON sun::conntrack -F sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat index 3d9a5f340..8e9dd2f51 100644 --- a/testing/tests/ikev2/rw-mark-in-out/pretest.dat +++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat @@ -1,13 +1,12 @@ -alice::/etc/init.d/iptables start 2> /dev/null -venus::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::echo 1 > /proc/sys/net/ipv4/ip_forward +alice::iptables-restore < /etc/iptables.rules +venus::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON sun::ip route add 10.1.0.0/16 via PH_IP_MOON -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 -sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11 -sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to PH_IP_CAROL10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to PH_IP_DAVE10 +sun::iptables -t mangle -A PREROUTING -d PH_IP_CAROL10 -j MARK --set-mark 11 +sun::iptables -t mangle -A PREROUTING -d PH_IP_DAVE10 -j MARK --set-mark 21 alice::ipsec start venus::ipsec start sun::ipsec start diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf index ae3c190b8..105472cbe 100644 --- a/testing/tests/ikev2/rw-mark-in-out/test.conf +++ b/testing/tests/ikev2/rw-mark-in-out/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon winnetou sun bob" +VIRTHOSTS="alice venus moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon bob" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/rw-pkcs8/evaltest.dat b/testing/tests/ikev2/rw-pkcs8/evaltest.dat index 06a0f8cda..2342d024b 100644 --- a/testing/tests/ikev2/rw-pkcs8/evaltest.dat +++ b/testing/tests/ikev2/rw-pkcs8/evaltest.dat @@ -1,10 +1,14 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf index bcdb8641b..e72f78742 100755..100644 --- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf index 3c22edc23..9802ea724 100644 --- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf index ea8bc92a7..65c9819bb 100755..100644 --- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf index 3c22edc23..9802ea724 100644 --- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf index 274521386..1ee751360 100755..100644 --- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf index 9333bcdf4..597aebf61 100644 --- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-pkcs8/posttest.dat b/testing/tests/ikev2/rw-pkcs8/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-pkcs8/posttest.dat +++ b/testing/tests/ikev2/rw-pkcs8/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-pkcs8/pretest.dat b/testing/tests/ikev2/rw-pkcs8/pretest.dat index 42e9d7c24..8bbea1412 100644 --- a/testing/tests/ikev2/rw-pkcs8/pretest.dat +++ b/testing/tests/ikev2/rw-pkcs8/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-pkcs8/test.conf b/testing/tests/ikev2/rw-pkcs8/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-pkcs8/test.conf +++ b/testing/tests/ikev2/rw-pkcs8/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-fqdn/description.txt b/testing/tests/ikev2/rw-psk-fqdn/description.txt index d4a7c3878..47f6968ae 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/description.txt +++ b/testing/tests/ikev2/rw-psk-fqdn/description.txt @@ -1,6 +1,6 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> -and fully qualified domain names. Upon the successful establishment of the IPsec tunnels, +and <b>Fully Qualified Domain Names</b>. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat index 06a0f8cda..2fbcc474f 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/evaltest.dat @@ -1,8 +1,14 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf index 6c821010a..594affa28 100755..100644 --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf index 882ea04a5..d84cba2b0 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf index 1af9be7f7..57f7303be 100755..100644 --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf index 882ea04a5..d84cba2b0 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf index 97edc9047..8dc61b0b3 100755..100644 --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf index 882ea04a5..d84cba2b0 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/posttest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat index 282b2aec0..64ce593fb 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/pretest.dat +++ b/testing/tests/ikev2/rw-psk-fqdn/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/rw-psk-fqdn/test.conf b/testing/tests/ikev2/rw-psk-fqdn/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-psk-fqdn/test.conf +++ b/testing/tests/ikev2/rw-psk-fqdn/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-ipv4/description.txt b/testing/tests/ikev2/rw-psk-ipv4/description.txt index 4eb66c540..b4aaa6a6a 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/description.txt +++ b/testing/tests/ikev2/rw-psk-ipv4/description.txt @@ -1,6 +1,6 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> -and IPv4 addresses. Upon the successful establishment of the IPsec tunnels, +and <b>IPv4</b> addresses. Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat index 06a0f8cda..2bd97b76c 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/evaltest.dat @@ -1,8 +1,13 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_CAROL].*\[PH_IP_MOON]::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*\[PH_IP_DAVE].*\[PH_IP_MOON]::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_CAROL]::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*\[PH_IP_MOON].*\[PH_IP_DAVE]::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf index 5990f6875..13b737a91 100755..100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets index 18a074472..57ce85d61 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx +PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf index 882ea04a5..d84cba2b0 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf index bdd50899a..27c70c125 100755..100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets index e989540e9..111de272b 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN +PH_IP_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf index 882ea04a5..d84cba2b0 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf index b99f43ef4..335977da6 100755..100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets index ab3fb129b..6706534eb 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets @@ -1,5 +1,5 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -192.168.0.100 : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx +PH_IP_CAROL : PSK 0sFpZAZqEN6Ti9sqt4ZP5EWcqx -192.168.0.200 : PSK 0sjVzONCF02ncsgiSlmIXeqhGN +PH_IP_DAVE : PSK 0sjVzONCF02ncsgiSlmIXeqhGN diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf index 882ea04a5..d84cba2b0 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/posttest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat index 282b2aec0..64ce593fb 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/pretest.dat +++ b/testing/tests/ikev2/rw-psk-ipv4/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/rw-psk-ipv4/test.conf b/testing/tests/ikev2/rw-psk-ipv4/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-psk-ipv4/test.conf +++ b/testing/tests/ikev2/rw-psk-ipv4/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat index 06a0f8cda..2342d024b 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-no-idr/evaltest.dat @@ -1,10 +1,14 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf index 150687104..5bc8dbe3f 100755..100644 --- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf index 882ea04a5..924fd4757 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf index 2397d6d6d..315634745 100755..100644 --- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf index 882ea04a5..924fd4757 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf index 97edc9047..8dc61b0b3 100755..100644 --- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf index 882ea04a5..924fd4757 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = aes des sha1 sha2 md5 pem pkcs1 gmp random hmac xcbc stroke kernel-netlink socket-default updown + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/posttest.dat +++ b/testing/tests/ikev2/rw-psk-no-idr/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat index 282b2aec0..64ce593fb 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/pretest.dat +++ b/testing/tests/ikev2/rw-psk-no-idr/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::rm /etc/ipsec.d/cacerts/* carol::rm /etc/ipsec.d/cacerts/* dave::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/ikev2/rw-psk-no-idr/test.conf b/testing/tests/ikev2/rw-psk-no-idr/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-psk-no-idr/test.conf +++ b/testing/tests/ikev2/rw-psk-no-idr/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat index 236684c57..ab398a3bb 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat @@ -1,15 +1,14 @@ -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES -moon::cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES -moon::ipsec statusall::rw-psk.*INSTALLED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES -moon::ipsec statusall::rw-rsasig.*INSTALLED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES +moon:: cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre-shared key::YES +moon:: ipsec status 2> /dev/null::rw-psk.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*\[PH_IP_MOON]::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon:: ipsec status 2> /dev/null::rw-rsasig.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf index 78c33df12..ee62325b7 100755..100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf index e533b4b4e..65c9819bb 100755..100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - crlcheckinterval=180 - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf index 004993d94..c86e82b64 100755..100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat index e48d11e42..446f81426 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::rm /etc/ipsec.d/cacerts/* moon::ipsec start carol::ipsec start diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat index 0e5bd03db..1648c9557 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat @@ -1,11 +1,16 @@ -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES -moon::ipsec statusall::rw.*INSTALLED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES +moon:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf index da59dfdae..72e2f7d4a 100755..100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=secret conn home left=PH_IP_CAROL leftsourceip=%config leftid=carol@strongswan.org + leftauth=psk leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org + rightauth=pubkey rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf index f09d46c5b..cd7c7ae7f 100755..100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -11,14 +8,15 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - authby=secret conn home left=PH_IP_DAVE leftsourceip=%config leftid=dave@strongswan.org + leftauth=psk leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org + rightauth=pubkey rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf index fb4b9ed3a..5e743101a 100755..100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -14,9 +13,11 @@ conn rw left=PH_IP_MOON leftcert=moonCert.pem leftid=@moon.strongswan.org + leftauth=pubkey leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + rightauth=psk rightsourceip=10.3.0.0/28 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat index 42e9d7c24..8bbea1412 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/rw-psk-rsa-split/test.conf b/testing/tests/ikev2/rw-psk-rsa-split/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/test.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat index d23d6360b..ccbc769e2 100644 --- a/testing/tests/ikev2/rw-radius-accounting/evaltest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/evaltest.dat @@ -1,15 +1,14 @@ carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES -moon::cat /var/log/daemon.log::received EAP identity .*carol::YES +moon:: cat /var/log/daemon.log::received EAP identity .*carol::YES carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES -moon::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES -moon::ipsec statusall::rw-eap.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES +moon:: cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ping -c 5 -s 1392 PH_IP_ALICE::1400 bytes from PH_IP_ALICE::YES -carol::ipsec down home::no output expected::NO +carol::ipsec down home 2> /dev/null::no output expected::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -alice::cat /var/log/radius/radacct/10.1.0.1/*::User-Name =.*carol::YES -alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Output-Octets = 7100::YES -alice::cat /var/log/radius/radacct/10.1.0.1/*::Acct-Input-Octets = 7100::YES - +alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::User-Name =.*carol::YES +alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Output-Octets = 7100::YES +alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/*::Acct-Input-Octets = 7100::YES diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..783587b55 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..a67a5dcb4 --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,42 @@ +authorize { + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users index 247b918e3..247b918e3 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/users +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/freeradius/users diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf index 5f779d1af..438e1c14c 100755..100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutostart=no conn %default ikelifetime=60m @@ -16,6 +15,7 @@ conn home leftid=carol@strongswan.org leftauth=eap leftfirewall=yes + leftsourceip=%config,%config6 eap_identity=carol right=PH_IP_MOON rightid=@moon.strongswan.org diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf index fe067d344..b1b418060 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown } diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 962a418d9..000000000 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,88 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow RADIUS accounting protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf index 11ff84400..7d4f94f48 100755..100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf @@ -1,8 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -21,6 +19,7 @@ conn rw-eap rightid=*@strongswan.org rightsendcert=never rightauth=eap-radius + rightsourceip=10.3.0.0/24,fec3::0/120 eap_identity=%any right=%any auto=add diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b9560a38e --- /dev/null +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/iptables.rules @@ -0,0 +1,36 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +# allow RADIUS accounting protocol with alice +-A INPUT -i eth1 -p udp --sport 1813 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1813 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf index 52927c1fd..3bf573f5d 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-radius-accounting/posttest.dat b/testing/tests/ikev2/rw-radius-accounting/posttest.dat index b1f971402..98f7a6954 100644 --- a/testing/tests/ikev2/rw-radius-accounting/posttest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/posttest.dat @@ -1,7 +1,6 @@ carol::ipsec stop moon::ipsec stop -alice::/etc/init.d/radiusd stop -alice::cat /var/log/radius/radacct/10.1.0.1/* -carol::/etc/init.d/iptables stop 2> /dev/null -moon::/etc/init.d/iptables stop 2> /dev/null - +alice::killall radiusd +alice::cat /var/log/freeradius/radacct/PH_IP_MOON1/* +carol::iptables-restore < /etc/iptables.flush +moon::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-radius-accounting/pretest.dat b/testing/tests/ikev2/rw-radius-accounting/pretest.dat index 30c8bd573..9f437fe85 100644 --- a/testing/tests/ikev2/rw-radius-accounting/pretest.dat +++ b/testing/tests/ikev2/rw-radius-accounting/pretest.dat @@ -1,7 +1,7 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -alice::rm /var/log/radius/radacct/10.1.0.1/* -alice::/etc/init.d/radiusd start +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +alice::rm /var/log/freeradius/radacct/PH_IP_MOON1/* +alice::radiusd moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/rw-radius-accounting/test.conf b/testing/tests/ikev2/rw-radius-accounting/test.conf index e0d77b583..6dbb1c7fd 100644 --- a/testing/tests/ikev2/rw-radius-accounting/test.conf +++ b/testing/tests/ikev2/rw-radius-accounting/test.conf @@ -1,26 +1,25 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice carol moon" +VIRTHOSTS="alice moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c.png" +DIAGRAM="a-m-c-w.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" -# UML instances on which FreeRadius is started +# Guest instances on which FreeRadius is started # RADIUSHOSTS="alice" - diff --git a/testing/tests/ikev2/rw-whitelist/evaltest.dat b/testing/tests/ikev2/rw-whitelist/evaltest.dat index 733cfd844..9418d6ee1 100644 --- a/testing/tests/ikev2/rw-whitelist/evaltest.dat +++ b/testing/tests/ikev2/rw-whitelist/evaltest.dat @@ -1,14 +1,14 @@ -moon::cat /var/log/daemon.log::whitelist functionality was already enabled::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES -carol::ipsec status::home.*INSTALLED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES -dave::ipsec status::home.*INSTALLED::NO -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::NO +moon:: cat /var/log/daemon.log::whitelist functionality was already enabled::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with RSA signature successful::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES +moon:: cat /var/log/daemon.log::peer identity 'dave@strongswan.org' not whitelisted::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log:: received AUTHENTICATION_FAILED notify error::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED::NO +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::NO moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::NO diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf index a19f6cfae..8c6c28bd6 100755..100644 --- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf index 1a89f4e5d..72b8a59c0 100755..100644 --- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf index 0b4cded6c..85c48a7bb 100755..100644 --- a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf index 938b45518..984985a1a 100644 --- a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown plugins { whitelist { enable = yes diff --git a/testing/tests/ikev2/rw-whitelist/posttest.dat b/testing/tests/ikev2/rw-whitelist/posttest.dat index 1777f439f..b757d8b15 100644 --- a/testing/tests/ikev2/rw-whitelist/posttest.dat +++ b/testing/tests/ikev2/rw-whitelist/posttest.dat @@ -1,6 +1,6 @@ carol::ipsec stop dave::ipsec stop moon::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-whitelist/pretest.dat b/testing/tests/ikev2/rw-whitelist/pretest.dat index c4ac77d77..87760775a 100644 --- a/testing/tests/ikev2/rw-whitelist/pretest.dat +++ b/testing/tests/ikev2/rw-whitelist/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/rw-whitelist/test.conf b/testing/tests/ikev2/rw-whitelist/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/rw-whitelist/test.conf +++ b/testing/tests/ikev2/rw-whitelist/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/shunt-policies/evaltest.dat b/testing/tests/ikev2/shunt-policies/evaltest.dat index 2f6e1a91f..a6e40a817 100644 --- a/testing/tests/ikev2/shunt-policies/evaltest.dat +++ b/testing/tests/ikev2/shunt-policies/evaltest.dat @@ -1,16 +1,16 @@ -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::NO -venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -moon::ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -bob::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -bob::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::NO +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +alice::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::NO +venus::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +moon:: ping -c 1 -I PH_IP_MOON1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +moon:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +bob:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +bob:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES venus::ssh PH_IP_BOB hostname::bob::YES -bob::ssh PH_IP_VENUS hostname::venus::YES +bob:: ssh PH_IP_VENUS hostname::venus::YES diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 2b90a14c7..000000000 --- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - # allow icmp in local net - iptables -A INPUT -i eth1 -p icmp -j ACCEPT - iptables -A OUTPUT -o eth1 -p icmp -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf index a4958f295..46ca4cdc3 100755..100644 --- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -21,7 +18,7 @@ conn local-net auto=route conn venus-icmp - leftsubnet=10.1.0.20/32 + leftsubnet=PH_IP_VENUS/32 rightsubnet=0.0.0.0/0 leftprotoport=icmp rightprotoport=icmp diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..af0f25209 --- /dev/null +++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow icmp in local net +-A INPUT -i eth1 -p icmp -j ACCEPT +-A OUTPUT -o eth1 -p icmp -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf index a2e9134c0..a5cd14b30 100644 --- a/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/shunt-policies/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no install_routes = no } diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf index c3b36fb7c..cd8ea23c3 100755..100644 --- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf index cb17a9e07..8e685c862 100644 --- a/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/shunt-policies/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/shunt-policies/posttest.dat b/testing/tests/ikev2/shunt-policies/posttest.dat index a4c96e10f..837738fc6 100644 --- a/testing/tests/ikev2/shunt-policies/posttest.dat +++ b/testing/tests/ikev2/shunt-policies/posttest.dat @@ -1,5 +1,5 @@ moon::ipsec stop sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/shunt-policies/pretest.dat b/testing/tests/ikev2/shunt-policies/pretest.dat index 2d7a78acb..c724e5df8 100644 --- a/testing/tests/ikev2/shunt-policies/pretest.dat +++ b/testing/tests/ikev2/shunt-policies/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules moon::ipsec start sun::ipsec start moon::sleep 1 diff --git a/testing/tests/ikev2/shunt-policies/test.conf b/testing/tests/ikev2/shunt-policies/test.conf index cf2ef7424..6b7432ca6 100644 --- a/testing/tests/ikev2/shunt-policies/test.conf +++ b/testing/tests/ikev2/shunt-policies/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon winnetou sun bob" +VIRTHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-v-m-w-s-b.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="sun" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/strong-keys-certs/evaltest.dat b/testing/tests/ikev2/strong-keys-certs/evaltest.dat index 06a0f8cda..2342d024b 100644 --- a/testing/tests/ikev2/strong-keys-certs/evaltest.dat +++ b/testing/tests/ikev2/strong-keys-certs/evaltest.dat @@ -1,10 +1,14 @@ -moon::ipsec statusall::rw.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -dave::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf index a7b55db24..732966f20 100755..100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf index 080073cd3..13636bc1e 100755..100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf index f33f26797..f36555445 100755..100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/posttest.dat b/testing/tests/ikev2/strong-keys-certs/posttest.dat index 9ccbaa1c2..3fd6a690e 100644 --- a/testing/tests/ikev2/strong-keys-certs/posttest.dat +++ b/testing/tests/ikev2/strong-keys-certs/posttest.dat @@ -1,9 +1,9 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush moon::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/private/* dave::rm /etc/ipsec.d/private/* diff --git a/testing/tests/ikev2/strong-keys-certs/pretest.dat b/testing/tests/ikev2/strong-keys-certs/pretest.dat index de51ccdfa..dea5fc162 100644 --- a/testing/tests/ikev2/strong-keys-certs/pretest.dat +++ b/testing/tests/ikev2/strong-keys-certs/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start dave::ipsec start diff --git a/testing/tests/ikev2/strong-keys-certs/test.conf b/testing/tests/ikev2/strong-keys-certs/test.conf index 70416826e..f29298850 100644 --- a/testing/tests/ikev2/strong-keys-certs/test.conf +++ b/testing/tests/ikev2/strong-keys-certs/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index d32e32660..2b4476afa 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,12 +1,11 @@ -moon::cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES -moon::ipsec statusall::alice.*INSTALLED::YES -carol::ipsec statusall::alice.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES -moon::cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES -moon::ipsec statusall::venus.*INSTALLED::YES -carol::ipsec statusall::venus.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES - diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index 08b95659f..9ec202e3d 100755..100644 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 uniqueids=no strictcrlpolicy=yes - plutostart=no conn %default ikelifetime=60m @@ -20,11 +18,11 @@ conn %default conn alice leftcert=carolCert.pem - rightsubnet=10.1.0.10/32 + rightsubnet=PH_IP_ALICE/32 auto=add conn venus leftcert=carolCert-002.pem - rightsubnet=10.1.0.20/32 + rightsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf index a93ccbc9a..d8f1443ac 100755..100644 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf @@ -1,10 +1,8 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=yes uniqueids=no - plutostart=no + strictcrlpolicy=yes ca strongswan cacert=strongswanCert.pem @@ -25,10 +23,10 @@ conn %default keyexchange=ikev2 conn alice - leftsubnet=10.1.0.10/32 + leftsubnet=PH_IP_ALICE/32 auto=add conn venus - leftsubnet=10.1.0.20/32 + leftsubnet=PH_IP_VENUS/32 auto=add diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/two-certs/posttest.dat b/testing/tests/ikev2/two-certs/posttest.dat index a1f067838..eae8c27d4 100644 --- a/testing/tests/ikev2/two-certs/posttest.dat +++ b/testing/tests/ikev2/two-certs/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush carol::rm /etc/ipsec.d/private/* carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ikev2/two-certs/pretest.dat b/testing/tests/ikev2/two-certs/pretest.dat index 716cf71e8..fe2aaec19 100644 --- a/testing/tests/ikev2/two-certs/pretest.dat +++ b/testing/tests/ikev2/two-certs/pretest.dat @@ -1,5 +1,5 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules moon::ipsec start carol::ipsec start carol::sleep 1 diff --git a/testing/tests/ikev2/two-certs/test.conf b/testing/tests/ikev2/two-certs/test.conf index d0306cd25..3f6afa02e 100644 --- a/testing/tests/ikev2/two-certs/test.conf +++ b/testing/tests/ikev2/two-certs/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou" +VIRTHOSTS="alice venus moon carol winnetou" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/virtual-ip-override/evaltest.dat b/testing/tests/ikev2/virtual-ip-override/evaltest.dat index 34ccb76ca..cb023b1fc 100644 --- a/testing/tests/ikev2/virtual-ip-override/evaltest.dat +++ b/testing/tests/ikev2/virtual-ip-override/evaltest.dat @@ -1,13 +1,17 @@ -moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES -carol::ipsec statusall::home.*INSTALLED::YES -dave::ipsec statusall::home.*INSTALLED::YES -moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES -moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::NO -moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES -moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::NO +moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES +moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::src PH_IP_CAROL1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::src PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::src PH_IP_DAVE1::YES diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf index c9867c7d4..62c30cf28 100755..100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf index 98dd99271..fa99a4c86 100755..100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf index bafd1b155..a8cf08544 100755..100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m @@ -13,7 +10,6 @@ conn %default keyexchange=ikev2 left=PH_IP_MOON leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/posttest.dat b/testing/tests/ikev2/virtual-ip-override/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/virtual-ip-override/posttest.dat +++ b/testing/tests/ikev2/virtual-ip-override/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/virtual-ip-override/pretest.dat b/testing/tests/ikev2/virtual-ip-override/pretest.dat index 5ec37aae1..1765a83cd 100644 --- a/testing/tests/ikev2/virtual-ip-override/pretest.dat +++ b/testing/tests/ikev2/virtual-ip-override/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/virtual-ip-override/test.conf b/testing/tests/ikev2/virtual-ip-override/test.conf index 01c94f7fb..5139506ac 100644 --- a/testing/tests/ikev2/virtual-ip-override/test.conf +++ b/testing/tests/ikev2/virtual-ip-override/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/virtual-ip/evaltest.dat b/testing/tests/ikev2/virtual-ip/evaltest.dat index e3c3c7f3c..0f5df71d7 100644 --- a/testing/tests/ikev2/virtual-ip/evaltest.dat +++ b/testing/tests/ikev2/virtual-ip/evaltest.dat @@ -1,21 +1,25 @@ -moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES -moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES -carol::ipsec statusall::home.*INSTALLED::YES -dave::ipsec statusall::home.*INSTALLED::YES -moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES -moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES -moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES -moon::cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_CAROL1::YES +moon:: cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES +moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_CAROL1 to peer::YES +moon:: cat /var/log/daemon.log::assigning virtual IP PH_IP_DAVE1 to peer::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::src PH_IP_CAROL1::YES -dave::ip addr list dev eth0::PH_IP_DAVE1::YES -dave::ip route list table 220::src PH_IP_DAVE1::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_seq=1::YES -moon::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES -moon::ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_seq=1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::src PH_IP_DAVE1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_req=1::YES +moon:: ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_req=1::YES +moon:: ping -c 1 PH_IP_DAVE1::64 bytes from PH_IP_DAVE1: icmp_req=1::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf index c9867c7d4..62c30cf28 100755..100644 --- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf index b58ba5460..3ecb3b830 100755..100644 --- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf index fb7abe556..42e4ff453 100755..100644 --- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf index 339b56987..dc937641c 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/posttest.dat b/testing/tests/ikev2/virtual-ip/posttest.dat index 7cebd7f25..1865a1c60 100644 --- a/testing/tests/ikev2/virtual-ip/posttest.dat +++ b/testing/tests/ikev2/virtual-ip/posttest.dat @@ -1,6 +1,6 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/virtual-ip/pretest.dat b/testing/tests/ikev2/virtual-ip/pretest.dat index 5ec37aae1..1765a83cd 100644 --- a/testing/tests/ikev2/virtual-ip/pretest.dat +++ b/testing/tests/ikev2/virtual-ip/pretest.dat @@ -1,6 +1,6 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/virtual-ip/test.conf b/testing/tests/ikev2/virtual-ip/test.conf index 1a8f2a4e0..164b07ff9 100644 --- a/testing/tests/ikev2/virtual-ip/test.conf +++ b/testing/tests/ikev2/virtual-ip/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice moon carol winnetou dave" +VIRTHOSTS="alice moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="moon alice" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/wildcards/evaltest.dat b/testing/tests/ikev2/wildcards/evaltest.dat index 2bc83eacd..4789640ec 100644 --- a/testing/tests/ikev2/wildcards/evaltest.dat +++ b/testing/tests/ikev2/wildcards/evaltest.dat @@ -1,8 +1,8 @@ -carol::ipsec status::alice.*PH_IP_CAROL.*PH_IP_ALICE::YES -moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES -carol::ipsec status::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO -moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO -dave::ipsec status::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES -moon::ipsec status::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES -dave::ipsec status::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO -moon::ipsec status::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO +carol::ipsec status 2> /dev/null::alice..*PH_IP_CAROL.*PH_IP_ALICE::YES +moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_CAROL::YES +carol::ipsec status 2> /dev/null::venus.*PH_IP_CAROL.*PH_IP_VENUS::NO +moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_CAROL::NO +dave:: ipsec status 2> /dev/null::venus.*PH_IP_DAVE.*PH_IP_VENUS::YES +moon:: ipsec status 2> /dev/null::venus.*PH_IP_VENUS.*PH_IP_DAVE::YES +dave:: ipsec status 2> /dev/null::alice.*PH_IP_DAVE.*PH_IP_ALICE::NO +moon:: ipsec status 2> /dev/null::alice.*PH_IP_ALICE.*PH_IP_DAVE::NO diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf index 043160a0f..2ff604dfa 100755..100644 --- a/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf index a01676be3..fbdc9c6a3 100755..100644 --- a/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf index 0523d56dd..a8183f59e 100755..100644 --- a/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/ipsec.conf @@ -1,9 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no conn %default ikelifetime=60m diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf index 88f162098..85d8c191f 100644 --- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/wildcards/pretest.dat b/testing/tests/ikev2/wildcards/pretest.dat index e3da87520..3c4832e5e 100644 --- a/testing/tests/ikev2/wildcards/pretest.dat +++ b/testing/tests/ikev2/wildcards/pretest.dat @@ -1,4 +1,3 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward carol::ipsec start dave::ipsec start moon::ipsec start diff --git a/testing/tests/ikev2/wildcards/test.conf b/testing/tests/ikev2/wildcards/test.conf index 08e5cc145..9bb88d79f 100644 --- a/testing/tests/ikev2/wildcards/test.conf +++ b/testing/tests/ikev2/wildcards/test.conf @@ -1,21 +1,21 @@ #!/bin/bash # # This configuration file provides information on the -# UML instances used for this test +# guest instances used for this test -# All UML instances that are required for this test +# All guest instances that are required for this test # -UMLHOSTS="alice venus moon carol winnetou dave" +VIRTHOSTS="alice venus moon carol winnetou dave" # Corresponding block diagram # DIAGRAM="a-v-m-c-w-d.png" -# UML instances on which tcpdump is to be started +# Guest instances on which tcpdump is to be started # TCPDUMPHOSTS="" -# UML instances on which IPsec is started +# Guest instances on which IPsec is started # Used for IPsec logging purposes # IPSECHOSTS="moon carol dave" |