diff options
Diffstat (limited to 'testing/tests/swanctl')
22 files changed, 347 insertions, 0 deletions
diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/description.txt b/testing/tests/swanctl/rw-eap-aka-sql-rsa/description.txt new file mode 100644 index 000000000..a7410c1b6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/description.txt @@ -0,0 +1,9 @@ +At the outset the gateway authenticates itself to the client by sending an +IKEv2 <b>RSA signature</b> accompanied by a certificate. +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +<b>carol</b> uses the <i>Extensible Authentication Protocol</i> +in association with the <i>Authentication and Key Agreement</i> protocol +(<b>EAP-AKA</b>) to authenticate against the gateway. In this scenario, +quintuplets from the SQL database /etc/ipsec.d/ipsec.db are used instead +of a physical USIM card on the client <b>carol</b>. The USIM provider on +gateway <b>moon</b> also stores the quintuplets in an SQL database. diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat new file mode 100644 index 000000000..b529b4bce --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..038c454aa --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,9 @@ +INSERT INTO quintuplets + (id, used, rand, autn, ck, ik, res) VALUES + ('carol@strongswan.org', 0, + X'00112233445566778899AABBCCDDEEFF', + X'112233445566778899AABBCCDDEEFF00', + X'2233445566778899AABBCCDDEEFF0011', + X'33445566778899AABBCCDDEEFF001122', + X'00112233445566778899' + ); diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql new file mode 100644 index 000000000..301f2bfd6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql @@ -0,0 +1,10 @@ +DROP TABLE IF EXISTS quintuplets; +CREATE TABLE quintuplets ( + id TEXT NOT NULL, + used INTEGER NOT NULL, + rand BLOB NOT NULL, + autn BLOB NOT NULL, + ck BLOB NOT NULL, + ik BLOB NOT NULL, + res BLOB NOT NULL +); diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dd99cdbf9 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,19 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + plugins { + eap-simaka-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..0466032a0 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..038c454aa --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,9 @@ +INSERT INTO quintuplets + (id, used, rand, autn, ck, ik, res) VALUES + ('carol@strongswan.org', 0, + X'00112233445566778899AABBCCDDEEFF', + X'112233445566778899AABBCCDDEEFF00', + X'2233445566778899AABBCCDDEEFF0011', + X'33445566778899AABBCCDDEEFF001122', + X'00112233445566778899' + ); diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql new file mode 100644 index 000000000..301f2bfd6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql @@ -0,0 +1,10 @@ +DROP TABLE IF EXISTS quintuplets; +CREATE TABLE quintuplets ( + id TEXT NOT NULL, + used INTEGER NOT NULL, + rand BLOB NOT NULL, + autn BLOB NOT NULL, + ck BLOB NOT NULL, + ik BLOB NOT NULL, + res BLOB NOT NULL +); diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dd99cdbf9 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,19 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } + plugins { + eap-simaka-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..53efd8db0 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-aka + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat new file mode 100644 index 000000000..2fc2bbb75 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat new file mode 100644 index 000000000..3842250e6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db +moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf b/testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-aka-sql-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/description.txt b/testing/tests/swanctl/rw-eap-md5-id-rsa/description.txt new file mode 100644 index 000000000..cf399bc05 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/description.txt @@ -0,0 +1,9 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the client by sending +an IKEv2 <b>RSA signature</b> accompanied by a certificate. +<b>carol</b> then uses the <i>Extensible Authentication Protocol</i> +in association with an <i>MD5</i> challenge and response protocol +(<b>EAP-MD5</b>) to authenticate against the gateway <b>moon</b>. +In addition to her IKEv2 identity which defaults to her IP address, +roadwarrior <b>carol</b> uses the EAP identity <b>carol</b>. + diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/evaltest.dat new file mode 100644 index 000000000..4558813e6 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/evaltest.dat @@ -0,0 +1,11 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::received EAP identity.*carol +moon:: cat /var/log/daemon.log::EAP method EAP_MD5 succeeded, no MSK established +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-eap.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..4b8e68e6d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..1b5c5d99f --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,34 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = eap + eap_id = carol + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4b8e68e6d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon { + load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default eap-identity eap-md5 updown + + start-scripts { + creds = /usr/local/sbin/swanctl --load-creds + conns = /usr/local/sbin/swanctl --load-conns + } +} diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 000000000..827b43b8d --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,40 @@ +connections { + + rw-eap { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = eap-md5 + eap_id = %any + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + send_certreq = no + proposals = aes128-sha256-x25519 + } +} + +secrets { + + eap-carol { + id = carol + secret = Ar3etTnp + } + eap-dave { + id = dave + secret = W7R0g3do + } +} + diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat new file mode 100644 index 000000000..2fc2bbb75 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/posttest.dat @@ -0,0 +1,5 @@ +carol::swanctl --terminate --ike home +carol::service charon stop 2> /dev/null +moon::service charon stop 2> /dev/null +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat new file mode 100644 index 000000000..96c1ed114 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/swanctl; rm rsa/* x509/* +moon::service charon start 2> /dev/null +carol::service charon start 2> /dev/null +moon::expect-connection rw-eap +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf b/testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf new file mode 100644 index 000000000..97b89cb61 --- /dev/null +++ b/testing/tests/swanctl/rw-eap-md5-id-rsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + +# charon controlled by swanctl +# +SWANCTL=1 |