diff options
Diffstat (limited to 'testing/tests/net2net-psk-fail')
9 files changed, 102 insertions, 0 deletions
diff --git a/testing/tests/net2net-psk-fail/description.txt b/testing/tests/net2net-psk-fail/description.txt new file mode 100644 index 000000000..5a794bd17 --- /dev/null +++ b/testing/tests/net2net-psk-fail/description.txt @@ -0,0 +1,7 @@ +An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and +<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b> +(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not +match, so that the responder cannot decrypt ISAKMP message MI3. The resulting +encrypted notification message cannot in turn be read by the initiator +<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of +PAYLOAD_MALFORMED messages is suppressed. diff --git a/testing/tests/net2net-psk-fail/evaltest.dat b/testing/tests/net2net-psk-fail/evaltest.dat new file mode 100644 index 000000000..7f7cb9726 --- /dev/null +++ b/testing/tests/net2net-psk-fail/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::malformed payload in packet::YES +sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES +sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES +moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO +sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO + diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..87396e455 --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..7e102b25c --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..b53577e1d --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil + + + + diff --git a/testing/tests/net2net-psk-fail/posttest.dat b/testing/tests/net2net-psk-fail/posttest.dat new file mode 100644 index 000000000..dff181797 --- /dev/null +++ b/testing/tests/net2net-psk-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/net2net-psk-fail/pretest.dat b/testing/tests/net2net-psk-fail/pretest.dat new file mode 100644 index 000000000..aa8e332e0 --- /dev/null +++ b/testing/tests/net2net-psk-fail/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-psk-fail/test.conf b/testing/tests/net2net-psk-fail/test.conf new file mode 100644 index 000000000..f6e064e7d --- /dev/null +++ b/testing/tests/net2net-psk-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" |