diff options
Diffstat (limited to 'testing/tests/swanctl/rw-eap-ttls-radius')
22 files changed, 464 insertions, 0 deletions
diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/description.txt b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt new file mode 100644 index 000000000..479350c2f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 <b>digital signature</b> accompanied by an X.509 certificate. +<p/> +Next <b>carol</b> and <b>dave</b> et up an <b>EAP-TTLS</b> tunnel each via +gateway <b>moon</b> to the RADIUS server <b>alice</b> authenticated by an X.509 +AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client +authentication based on <b>EAP-MD5</b>. <b>carol</b> presents the correct MD5 password +and succeeds whereas <b>dave</b> chooses the wrong password and fails. diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat new file mode 100644 index 000000000..df4f0d550 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/evaltest.dat @@ -0,0 +1,17 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES +dave:: cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap new file mode 100644 index 000000000..7450c71c4 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/mods-available/eap @@ -0,0 +1,21 @@ +eap { + md5 { + } + default_eap_type = ttls + + tls-config tls-common { + private_key_file = ${certdir}/aaaKey.pem + certificate_file = ${certdir}/aaaCert.pem + ca_file = ${cadir}/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = ${certdir}/dh + random_file = ${certdir}/random + } + + ttls { + tls = tls-common + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default new file mode 100644 index 000000000..2bbe1d730 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/default @@ -0,0 +1,59 @@ +server default { + +listen { + type = auth + ipaddr = 10.1.0.10 + port = 0 +} + +authorize { + preprocess + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + exec + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + eap + remove_reply_message_if_eap + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel new file mode 100644 index 000000000..6ce9d6391 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/sites-available/inner-tunnel @@ -0,0 +1,38 @@ +server inner-tunnel { + +authorize { + filter_username + suffix + eap { + ok = return + } + files + expiration + logintime +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + update outer.session-state { + &Module-Failure-Message := &request:Module-Failure-Message + } + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/3.0/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..c91cd40fb --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,18 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d90ccc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..7ffdd1f4c --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol@strongswan.org + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..85d90ccc1 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..97c0b7057 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = dave@strongswan.org + aaa_id = "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-dave { + id = dave@strongswan.org + secret = UgaM65Va + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bf614014d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-radius updown + + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..ad6d62896 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-radius + id = *@strongswan.org + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat new file mode 100644 index 000000000..96b011090 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/posttest.dat @@ -0,0 +1,7 @@ +carol::systemctl stop strongswan-swanctl +dave::systemctl stop strongswan-swanctl +moon::systemctl stop strongswan-swanctl +alice::killall freeradius +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat new file mode 100644 index 000000000..ff5f6e164 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +dave::cd /etc/swanctl; rm rsa/* x509/* +alice::freeradius +moon::systemctl start strongswan-swanctl +carol::systemctl start strongswan-swanctl +dave::systemctl start strongswan-swanctl +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-ttls-radius/test.conf b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf new file mode 100644 index 000000000..0e5512b65 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-ttls-radius/test.conf @@ -0,0 +1,29 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol winnetou dave moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + +# charon controlled by swanctl +# +SWANCTL=1 |