summaryrefslogtreecommitdiff
path: root/testing/tests/libipsec
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests/libipsec')
-rw-r--r--testing/tests/libipsec/net2net-cert/description.txt8
-rw-r--r--testing/tests/libipsec/net2net-cert/evaltest.dat7
-rw-r--r--testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf22
-rw-r--r--testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/libipsec/net2net-cert/hosts/moon/etc/updown705
-rw-r--r--testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf22
-rw-r--r--testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf6
-rwxr-xr-xtesting/tests/libipsec/net2net-cert/hosts/sun/etc/updown705
-rw-r--r--testing/tests/libipsec/net2net-cert/posttest.dat4
-rw-r--r--testing/tests/libipsec/net2net-cert/pretest.dat6
-rw-r--r--testing/tests/libipsec/net2net-cert/test.conf21
-rw-r--r--testing/tests/libipsec/rw-suite-b/description.txt10
-rw-r--r--testing/tests/libipsec/rw-suite-b/evaltest.dat19
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem15
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem5
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/carol/etc/updown746
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem15
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem5
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush21
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules32
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf15
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/dave/etc/updown746
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf22
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem17
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem15
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem5
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf13
-rwxr-xr-xtesting/tests/libipsec/rw-suite-b/hosts/moon/etc/updown746
-rw-r--r--testing/tests/libipsec/rw-suite-b/posttest.dat6
-rw-r--r--testing/tests/libipsec/rw-suite-b/pretest.dat9
-rw-r--r--testing/tests/libipsec/rw-suite-b/test.conf21
39 files changed, 4099 insertions, 0 deletions
diff --git a/testing/tests/libipsec/net2net-cert/description.txt b/testing/tests/libipsec/net2net-cert/description.txt
new file mode 100644
index 000000000..433d97574
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/description.txt
@@ -0,0 +1,8 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b>
+plugin is used for userland IPsec ESP encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the
+<b>ipsec0</b> tun interface. In order to test both tunnel and firewall, client <b>alice</b>
+behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/libipsec/net2net-cert/evaltest.dat b/testing/tests/libipsec/net2net-cert/evaltest.dat
new file mode 100644
index 000000000..f702ceadf
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/evaltest.dat
@@ -0,0 +1,7 @@
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES
+sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..631adfcd3
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftupdown=/etc/updown
+ right=PH_IP_SUN
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
new file mode 100644
index 000000000..b16440aa1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftupdown=/etc/updown
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
new file mode 100644
index 000000000..97bb34aed
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
new file mode 100755
index 000000000..1a68ada0e
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/updown
@@ -0,0 +1,705 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/net2net-cert/posttest.dat b/testing/tests/libipsec/net2net-cert/posttest.dat
new file mode 100644
index 000000000..1f7aa73a1
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/posttest.dat
@@ -0,0 +1,4 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/net2net-cert/pretest.dat b/testing/tests/libipsec/net2net-cert/pretest.dat
new file mode 100644
index 000000000..c724e5df8
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/pretest.dat
@@ -0,0 +1,6 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+sun::ipsec start
+moon::sleep 1
+moon::ipsec up net-net
diff --git a/testing/tests/libipsec/net2net-cert/test.conf b/testing/tests/libipsec/net2net-cert/test.conf
new file mode 100644
index 000000000..646b8b3e6
--- /dev/null
+++ b/testing/tests/libipsec/net2net-cert/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/libipsec/rw-suite-b/description.txt b/testing/tests/libipsec/rw-suite-b/description.txt
new file mode 100644
index 000000000..a1b09405a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection to gateway <b>moon</b>.
+The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b>
+certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption.
+The <b>kernel-libipsec</b> plugin is used for userland IPsec AES-GCM authenticated ESP
+encryption.
+<p/>
+Upon the successful establishment of the IPsec tunnel, an updown script automatically
+inserts iptables-based firewall rules that let pass the traffic tunneled via the <b>ipsec0</b>
+tun interface. In order to test both tunnel and firewall, <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.
diff --git a/testing/tests/libipsec/rw-suite-b/evaltest.dat b/testing/tests/libipsec/rw-suite-b/evaltest.dat
new file mode 100644
index 000000000..d59ea3c34
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/evaltest.dat
@@ -0,0 +1,19 @@
+carol::cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+dave:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::openssl FIPS mode(2) - enabled::YES
+moon:: cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful::YES
+moon:: cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-256 signature successful::YES
+carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
+dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
+moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
+carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
+moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+moon::tcpdump::IP carol.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > carol.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP dave.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES
+moon::tcpdump::IP moon.strongswan.org.4500 > dave.strongswan.org.4500: UDP-encap: ESP::YES
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..8106e28d2
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128gcm128-prfsha256-ecp256!
+ esp=aes128gcm128-ecp256!
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftsourceip=%config
+ leftupdown=/etc/updown
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
new file mode 100644
index 000000000..a85635faf
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/certs/carolCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXzCCAcCgAwIBAgIBCTAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MjczOFoXDTE4MDYwMjA3MjczOFowXzELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMFkwEwYHKoZI
+zj0CAQYIKoZIzj0DAQcDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAj
+BuX3bs5ZIn7BrRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2n6OBgzCBgDAfBgNVHSME
+GDAWgBS6XflxthO1atHduja3qtLB7o/Y0jAfBgNVHREEGDAWgRRjYXJvbEBzdHJv
+bmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3
+YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAIU5
+nZLSfuiHElf7SFHl/sXCTSQ5FhEjSdhpMUvsgwq0vnEJRRdsdEOmmtVT5yQFHDUR
+Z9YVl4/zP5EFyUepvCH5AkIB2WFJ5WZ3Ds76Tq9AxAPaFbsQapGgOmrRZ6lGkj49
+hzLfARkvr+fTbOrttOC4yTIfnYVygA2G1cQYzceY/JiSk00=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
new file mode 100644
index 000000000..d29ddb9ee
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.d/private/carolKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49
+AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B
+rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..3d6725162
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA carolKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+ initiator_only = yes
+}
+
+libstrongswan {
+ plugins {
+ openssl {
+ fips_mode = 2
+ }
+ }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ fi
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ fi
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..9b6ca682a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ ike=aes128gcm128-prfsha256-ecp256!
+ esp=aes128gcm128-ecp256!
+
+conn home
+ left=PH_IP_DAVE
+ leftcert=daveCert.pem
+ leftid=dave@strongswan.org
+ leftsourceip=%config
+ leftupdown=/etc/updown
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
new file mode 100644
index 000000000..c83be145d
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/certs/daveCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBCzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MzMyOFoXDTE4MDYwMjA3MzMyOFowXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAAQ0aUuue3BcBvF6aEISID4c+mVBJyvSm2fPVRRkAQqh
+RktTHMYDWY6B8e/iGr4GDeF5bjr46vMB5eEtVx3chWbQo4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCAd5ols9c
+CP6HPtfMXbPlSpUDKSRyB3c5Ix2Yn3z5ogMM1QSoS88FW8D7KKsb0qTY5TnlAls3
+45PmauVwEbI2cV6qAkIBphvsmhYWMnt/QMOij7DinihEL9Ib1vxOS2boUos6sHWi
+gj3wfHyfgHM3Pgt0YYoZxELDIxcLVJeoa1TmNey7IaI=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
new file mode 100644
index 000000000..17e94022e
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.d/private/daveKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEICwxFtCsSqIAzwZDyxHclTRdz/tGzAY7fP/vPoxqr8vuoAoGCCqGSM49
+AwEHoUQDQgAENGlLrntwXAbxemhCEiA+HPplQScr0ptnz1UUZAEKoUZLUxzGA1mO
+gfHv4hq+Bg3heW46+OrzAeXhLVcd3IVm0A==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..ebd3a2839
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA daveKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
new file mode 100644
index 000000000..b3ab63c51
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.flush
@@ -0,0 +1,21 @@
+*filter
+
+-F
+
+-P INPUT ACCEPT
+-P OUTPUT ACCEPT
+-P FORWARD ACCEPT
+
+COMMIT
+
+*nat
+
+-F
+
+COMMIT
+
+*mangle
+
+-F
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
new file mode 100644
index 000000000..3d99c0197
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/iptables.rules
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+# allow traffic tunnelled via IPsec
+-A INPUT -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
+-A OUTPUT -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..06bcaa1e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+
+ initiator_only = yes
+}
+
+libstrongswan {
+ plugins {
+ openssl {
+ fips_mode = 2
+ }
+ }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ fi
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ fi
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..733592087
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekey=no
+ reauth=no
+ keyexchange=ikev2
+ ike=aes128gcm128-prfsha256-ecp256!
+ esp=aes128gcm128-ecp256!
+
+conn rw
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftupdown=/etc/updown
+ right=%any
+ rightsourceip=10.3.0.0/24
+ auto=add
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 000000000..3480a434a
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC
+Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3
+YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA
+BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn
+/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM
+h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV
+HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2
+t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx
+CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD
+ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM
+ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq
+cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q
+3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 000000000..a3b043e82
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICXDCCAb2gAwIBAgIBBzAKBggqhkjOPQQDBDBIMQswCQYDVQQGEwJDSDEZMBcG
+A1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBS
+b290IENBMB4XDTEzMDYyODA3MTc0M1oXDTE4MDYwMjA3MTc0M1owXjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xFjAUBgNVBAsTDUVDRFNB
+IDI1NiBiaXQxHDAaBgNVBAMTE21vb24uc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO
+PQIBBggqhkjOPQMBBwNCAATf97+pfDnyPIA9gf6bYTZiIjNBAbCjCIqxxWou/oMq
+/9V1O20vyI/dg2g3yzTdzESUa+X81fop+i2n9ymBqI1No4GBMH8wHwYDVR0jBBgw
+FoAUul35cbYTtWrR3bo2t6rSwe6P2NIwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAoGCCqGSM49BAMEA4GMADCBiAJCALNndw3C
+DDWCb0f+6P6hxkqiYmUpv39XrioZrLbw+MjMD2WAchbj60KibBep1cVwIq3kWIJ6
+Jj0tYXG+f6yjmImqAkIBGOGRm+MQZxPFdYZoJZq5QXwIN0w2hJxmLIxBASW4PLdl
+RLIlvW/XTJObdb0VVYmClg0HTSvuuYOJrzwdyd8D1w0=
+-----END CERTIFICATE-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 000000000..5bd2778a9
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIHWBnv6tDi/CTTWOQi/0XME7r8Wd5GRPaXx3wNTElpSvoAoGCCqGSM49
+AwEHoUQDQgAE3/e/qXw58jyAPYH+m2E2YiIzQQGwowiKscVqLv6DKv/VdTttL8iP
+3YNoN8s03cxElGvl/NX6Kfotp/cpgaiNTQ==
+-----END EC PRIVATE KEY-----
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..1ef3eccb5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: ECDSA moonKey.pem
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..efa0575e5
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,13 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-libipsec kernel-netlink socket-default updown
+}
+
+libstrongswan {
+ plugins {
+ openssl {
+ fips_mode = 2
+ }
+ }
+}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
new file mode 100755
index 000000000..15c239466
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/updown
@@ -0,0 +1,746 @@
+#! /bin/sh
+# iproute2 version, default updown script
+#
+# Copyright (C) 2003-2004 Nigel Meteringham
+# Copyright (C) 2003-2004 Tuomo Soini
+# Copyright (C) 2002-2004 Michael Richardson
+# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org>
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by the
+# Free Software Foundation; either version 2 of the License, or (at your
+# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+#
+# This program is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# for more details.
+
+# CAUTION: Installing a new version of strongSwan will install a new
+# copy of this script, wiping out any custom changes you make. If
+# you need changes, make a copy of this under another name, and customize
+# that, and use the (left/right)updown parameters in ipsec.conf to make
+# strongSwan use yours instead of this default one.
+
+# things that this script gets (from ipsec_pluto(8) man page)
+#
+# PLUTO_VERSION
+# indicates what version of this interface is being
+# used. This document describes version 1.1. This
+# is upwardly compatible with version 1.0.
+#
+# PLUTO_VERB
+# specifies the name of the operation to be performed
+# (prepare-host, prepare-client, up-host, up-client,
+# down-host, or down-client). If the address family
+# for security gateway to security gateway communica-
+# tions is IPv6, then a suffix of -v6 is added to the
+# verb.
+#
+# PLUTO_CONNECTION
+# is the name of the connection for which we are
+# routing.
+#
+# PLUTO_NEXT_HOP
+# is the next hop to which packets bound for the peer
+# must be sent.
+#
+# PLUTO_INTERFACE
+# is the name of the ipsec interface to be used.
+#
+# PLUTO_REQID
+# is the requid of the ESP policy
+#
+# PLUTO_UNIQUEID
+# is the unique identifier of the associated IKE_SA
+#
+# PLUTO_ME
+# is the IP address of our host.
+#
+# PLUTO_MY_ID
+# is the ID of our host.
+#
+# PLUTO_MY_CLIENT
+# is the IP address / count of our client subnet. If
+# the client is just the host, this will be the
+# host's own IP address / max (where max is 32 for
+# IPv4 and 128 for IPv6).
+#
+# PLUTO_MY_CLIENT_NET
+# is the IP address of our client net. If the client
+# is just the host, this will be the host's own IP
+# address.
+#
+# PLUTO_MY_CLIENT_MASK
+# is the mask for our client net. If the client is
+# just the host, this will be 255.255.255.255.
+#
+# PLUTO_MY_SOURCEIP
+# PLUTO_MY_SOURCEIP4_$i
+# PLUTO_MY_SOURCEIP6_$i
+# contains IPv4/IPv6 virtual IP received from a responder,
+# $i enumerates from 1 to the number of IP per address family.
+# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first
+# virtual IP, IPv4 or IPv6.
+#
+# PLUTO_MY_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_MY_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on our side.
+#
+# PLUTO_PEER
+# is the IP address of our peer.
+#
+# PLUTO_PEER_ID
+# is the ID of our peer.
+#
+# PLUTO_PEER_CA
+# is the CA which issued the cert of our peer.
+#
+# PLUTO_PEER_CLIENT
+# is the IP address / count of the peer's client sub-
+# net. If the client is just the peer, this will be
+# the peer's own IP address / max (where max is 32
+# for IPv4 and 128 for IPv6).
+#
+# PLUTO_PEER_CLIENT_NET
+# is the IP address of the peer's client net. If the
+# client is just the peer, this will be the peer's
+# own IP address.
+#
+# PLUTO_PEER_CLIENT_MASK
+# is the mask for the peer's client net. If the
+# client is just the peer, this will be
+# 255.255.255.255.
+#
+# PLUTO_PEER_PROTOCOL
+# is the IP protocol that will be transported.
+#
+# PLUTO_PEER_PORT
+# is the UDP/TCP port to which the IPsec SA is
+# restricted on the peer side.
+#
+# PLUTO_XAUTH_ID
+# is an optional user ID employed by the XAUTH protocol
+#
+# PLUTO_MARK_IN
+# is an optional XFRM mark set on the inbound IPsec SA
+#
+# PLUTO_MARK_OUT
+# is an optional XFRM mark set on the outbound IPsec SA
+#
+# PLUTO_UDP_ENC
+# contains the remote UDP port in the case of ESP_IN_UDP
+# encapsulation
+#
+# PLUTO_DNS4_$i
+# PLUTO_DNS6_$i
+# contains IPv4/IPv6 DNS server attribute received from a
+# responder, $i enumerates from 1 to the number of servers per
+# address family.
+#
+
+# define a minimum PATH environment in case it is not set
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin"
+export PATH
+
+# uncomment to log VPN connections
+VPN_LOGGING=1
+#
+# tag put in front of each log entry:
+TAG=vpn
+#
+# syslog facility and priority used:
+FAC_PRIO=local0.notice
+#
+# to create a special vpn logging file, put the following line into
+# the syslog configuration file /etc/syslog.conf:
+#
+# local0.notice -/var/log/vpn
+
+# in order to use source IP routing the Linux kernel options
+# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES
+# must be enabled
+#
+# special routing table for sourceip routes
+SOURCEIP_ROUTING_TABLE=220
+#
+# priority of the sourceip routing table
+SOURCEIP_ROUTING_TABLE_PRIO=220
+
+# check interface version
+case "$PLUTO_VERSION" in
+1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features.
+ echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2
+ echo "$0: called by obsolete Pluto?" >&2
+ exit 2
+ ;;
+1.*) ;;
+*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2
+ exit 2
+ ;;
+esac
+
+# check parameter(s)
+case "$1:$*" in
+':') # no parameters
+ ;;
+iptables:iptables) # due to (left/right)firewall; for default script only
+ ;;
+custom:*) # custom parameters (see above CAUTION comment)
+ ;;
+*) echo "$0: unknown parameters \`$*'" >&2
+ exit 2
+ ;;
+esac
+
+# utility functions for route manipulation
+# Meddling with this stuff should not be necessary and requires great care.
+uproute() {
+ doroute add
+ ip route flush cache
+}
+downroute() {
+ doroute delete
+ ip route flush cache
+}
+
+addsource() {
+ st=0
+ if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local
+ then
+ it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE"
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
+doroute() {
+ st=0
+
+ if [ -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ for dir in /etc/sysconfig /etc/conf.d; do
+ if [ -f "$dir/defaultsource" ]
+ then
+ . "$dir/defaultsource"
+ fi
+ done
+
+ if [ -n "$DEFAULTSOURCE" ]
+ then
+ PLUTO_MY_SOURCEIP=$DEFAULTSOURCE
+ fi
+ fi
+
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # leave because no route entry is required
+ return $st
+ fi
+
+ parms1="$PLUTO_PEER_CLIENT"
+
+ if [ -n "$PLUTO_NEXT_HOP" ]
+ then
+ parms2="via $PLUTO_NEXT_HOP"
+ else
+ parms2="via $PLUTO_PEER"
+ fi
+ parms2="$parms2 dev $PLUTO_INTERFACE"
+
+ parms3=
+ if [ -n "$PLUTO_MY_SOURCEIP" ]
+ then
+ if test "$1" = "add"
+ then
+ addsource
+ if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE"
+ then
+ ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE
+ fi
+ fi
+ parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE"
+ fi
+
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # opportunistic encryption work around
+ # need to provide route that eclipses default, without
+ # replacing it.
+ it="ip route $1 0.0.0.0/1 $parms2 $parms3 &&
+ ip route $1 128.0.0.0/1 $parms2 $parms3"
+ ;;
+ *) it="ip route $1 $parms1 $parms2 $parms3"
+ ;;
+ esac
+ oops="`eval $it 2>&1`"
+ st=$?
+ if test " $oops" = " " -a " $st" != " 0"
+ then
+ oops="silent error, exit status $st"
+ fi
+ if test " $oops" != " " -o " $st" != " 0"
+ then
+ echo "$0: doroute \`$it' failed ($oops)" >&2
+ fi
+ return $st
+}
+
+# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY
+if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
+then
+ KLIPS=1
+ IPSEC_POLICY_IN=""
+ IPSEC_POLICY_OUT=""
+else
+ KLIPS=
+ IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID"
+ IPSEC_POLICY_IN="$IPSEC_POLICY --dir in"
+ IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out"
+fi
+
+# are there port numbers?
+if [ "$PLUTO_MY_PORT" != 0 ]
+then
+ S_MY_PORT="--sport $PLUTO_MY_PORT"
+ D_MY_PORT="--dport $PLUTO_MY_PORT"
+fi
+if [ "$PLUTO_PEER_PORT" != 0 ]
+then
+ S_PEER_PORT="--sport $PLUTO_PEER_PORT"
+ D_PEER_PORT="--dport $PLUTO_PEER_PORT"
+fi
+
+# resolve octal escape sequences
+PLUTO_MY_ID=`printf "$PLUTO_MY_ID"`
+PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"`
+
+# the big choice
+case "$PLUTO_VERB:$1" in
+prepare-host:*|prepare-client:*)
+ if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ]
+ then
+ # exit because no route will be added,
+ # so that existing routes can stay
+ exit 0
+ fi
+
+ # delete possibly-existing route (preliminary to adding a route)
+ case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in
+ "0.0.0.0/0.0.0.0")
+ # need to provide route that eclipses default, without
+ # replacing it.
+ parms1="0.0.0.0/1"
+ parms2="128.0.0.0/1"
+ it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1"
+ oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`"
+ ;;
+ *)
+ parms="$PLUTO_PEER_CLIENT"
+ it="ip route delete $parms 2>&1"
+ oops="`ip route delete $parms 2>&1`"
+ ;;
+ esac
+ status="$?"
+ if test " $oops" = " " -a " $status" != " 0"
+ then
+ oops="silent error, exit status $status"
+ fi
+ case "$oops" in
+ *'RTNETLINK answers: No such process'*)
+ # This is what route (currently -- not documented!) gives
+ # for "could not find such a route".
+ oops=
+ status=0
+ ;;
+ esac
+ if test " $oops" != " " -o " $status" != " 0"
+ then
+ echo "$0: \`$it' failed ($oops)" >&2
+ fi
+ exit $status
+ ;;
+route-host:*|route-client:*)
+ # connection to me or my client subnet being routed
+ uproute
+ ;;
+unroute-host:*|unroute-client:*)
+ # connection to me or my client subnet being unrouted
+ downroute
+ ;;
+up-host:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ ;;
+down-host:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ ;;
+up-client:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ fi
+ ;;
+down-client:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ PLUTO_INTERFACE=ipsec0
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ fi
+ ;;
+up-host:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
+ then
+ iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+#
+# IPv6
+#
+prepare-host-v6:*|prepare-client-v6:*)
+ ;;
+route-host-v6:*|route-client-v6:*)
+ # connection to me or my client subnet being routed
+ #uproute_v6
+ ;;
+unroute-host-v6:*|unroute-client-v6:*)
+ # connection to me or my client subnet being unrouted
+ #downroute_v6
+ ;;
+up-host-v6:)
+ # connection to me coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-host-v6:)
+ # connection to me going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-client-v6:)
+ # connection to my client subnet coming up
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+down-client-v6:)
+ # connection to my client subnet going down
+ # If you are doing a custom version, firewall commands go here.
+ ;;
+up-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+down-host-v6:iptables)
+ # connection to me, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
+ #
+ # log IPsec host connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
+ fi
+ fi
+ ;;
+up-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, coming up
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection setup
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO \
+ "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+down-client-v6:iptables)
+ # connection to client subnet, with (left/right)firewall=yes, going down
+ # This is used only by the default updown script, not by your custom
+ # ones, so do not mess with it; see CAUTION comment up at top.
+ if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
+ then
+ ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ fi
+ #
+ # a virtual IP requires an INPUT and OUTPUT rule on the host
+ # or sometimes host access via the internal IP is needed
+ if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
+ then
+ ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
+ -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
+ -d $PLUTO_MY_CLIENT $D_MY_PORT \
+ $IPSEC_POLICY_IN -j ACCEPT
+ ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
+ -s $PLUTO_MY_CLIENT $S_MY_PORT \
+ -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
+ $IPSEC_POLICY_OUT -j ACCEPT
+ fi
+ #
+ # log IPsec client connection teardown
+ if [ $VPN_LOGGING ]
+ then
+ if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ]
+ then
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ else
+ logger -t $TAG -p $FAC_PRIO -- \
+ "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
+ fi
+ fi
+ ;;
+*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2
+ exit 1
+ ;;
+esac
diff --git a/testing/tests/libipsec/rw-suite-b/posttest.dat b/testing/tests/libipsec/rw-suite-b/posttest.dat
new file mode 100644
index 000000000..1865a1c60
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/posttest.dat
@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/libipsec/rw-suite-b/pretest.dat b/testing/tests/libipsec/rw-suite-b/pretest.dat
new file mode 100644
index 000000000..8bbea1412
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/pretest.dat
@@ -0,0 +1,9 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/libipsec/rw-suite-b/test.conf b/testing/tests/libipsec/rw-suite-b/test.conf
new file mode 100644
index 000000000..f29298850
--- /dev/null
+++ b/testing/tests/libipsec/rw-suite-b/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"