diff options
Diffstat (limited to 'testing/tests/tnc/tnccs-11-radius')
30 files changed, 616 insertions, 0 deletions
diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt new file mode 100644 index 000000000..83e5b96f3 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/description.txt @@ -0,0 +1,13 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the +<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup"> +<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface. +The communication between IMCs and IMVs is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>. +<p> +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients +are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-11-radius/evaltest.dat b/testing/tests/tnc/tnccs-11-radius/evaltest.dat new file mode 100644 index 000000000..d0ea22ba9 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..f91bccc72 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,36 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..5d586066b --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + debug_level = 3 + plugins { + imv-test { + rounds = 1 + } + imv-scanner { + closed_port_policy = yes + tcp_ports = 22 + udp_ports = 500 4500 + } + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..2bdc6e4de --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..da732f68b --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so +IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a639b0426 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..7bff51d6b --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no +} + +libimcv { + plugins { + imc-test { + command = allow + } + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..6166552f5 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..5da78b4ab --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tnc 3, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..a599122bc --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no +} + +libimcv { + plugins { + imc-test { + command = isolate + } + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..6166552f5 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..33dcdcfb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..40be81b48 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-11-radius/posttest.dat b/testing/tests/tnc/tnccs-11-radius/posttest.dat new file mode 100644 index 000000000..86bd89dea --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::killall radiusd +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat new file mode 100644 index 000000000..b5d284278 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -0,0 +1,16 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +carol::LEAK_DETECTIVE_DISABLE=1 ipsec start +dave::LEAK_DETECTIVE_DISABLE=1 ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-11-radius/test.conf b/testing/tests/tnc/tnccs-11-radius/test.conf new file mode 100644 index 000000000..2a52df203 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + |