diff options
Diffstat (limited to 'testing/tests')
562 files changed, 7898 insertions, 355 deletions
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev1/alg-blowfish/evaltest.dat b/testing/tests/ikev1/alg-blowfish/evaltest.dat index a9c9b803a..a2ae3ff6b 100644 --- a/testing/tests/ikev1/alg-blowfish/evaltest.dat +++ b/testing/tests/ikev1/alg-blowfish/evaltest.dat @@ -1,9 +1,10 @@ - carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(blowfish)::YES +moon::ip xfrm state::enc cbc(blowfish)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-serpent/evaltest.dat b/testing/tests/ikev1/alg-serpent/evaltest.dat index 6b792538b..ffca0e7a0 100644 --- a/testing/tests/ikev1/alg-serpent/evaltest.dat +++ b/testing/tests/ikev1/alg-serpent/evaltest.dat @@ -1,9 +1,10 @@ - carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(serpent)::YES +moon::ip xfrm state::enc cbc(serpent)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-sha2_256/evaltest.dat b/testing/tests/ikev1/alg-sha2_256/evaltest.dat index 9b4caa278..42d0099eb 100644 --- a/testing/tests/ikev1/alg-sha2_256/evaltest.dat +++ b/testing/tests/ikev1/alg-sha2_256/evaltest.dat @@ -1,9 +1,11 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES -moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ip xfrm state::auth hmac(sha256)::YES +moon::ip xfrm state::auth hmac(sha256)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev1/alg-twofish/evaltest.dat b/testing/tests/ikev1/alg-twofish/evaltest.dat index 0568eec6e..69e9267c3 100644 --- a/testing/tests/ikev1/alg-twofish/evaltest.dat +++ b/testing/tests/ikev1/alg-twofish/evaltest.dat @@ -1,8 +1,10 @@ carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES -moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(twofish)::YES +moon::ip xfrm state::enc cbc(twofish)::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/description.txt b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt index 0ea28a716..fef0ac2dd 100644 --- a/testing/tests/ikev2/esp-alg-aesxcbc/description.txt +++ b/testing/tests/ikev1/esp-alg-aesxcbc/description.txt @@ -1,4 +1,4 @@ Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite -<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> +<b>AES_256/AES_XCBC_MAC</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat new file mode 100644 index 000000000..f464bda65 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES +moon::ipsec statusall::ESP algorithm newest: AES_256-AES_XCBC_MAC::YES +carol::ip xfrm state::auth xcbc(aes)::YES +moon::ip xfrm state::auth xcbc(aes)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ed905d05f --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes256-sha2_256-modp2048! + esp=aes256-aesxcbc! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f1b7ff56d --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes256-sha2_256-modp2048! + esp=aes256-aesxcbc! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-aesxcbc/test.conf b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-aesxcbc/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/esp-alg-camellia/description.txt b/testing/tests/ikev1/esp-alg-camellia/description.txt new file mode 100644 index 000000000..ead39f580 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>CAMELLIA_192/HMAC_SHA2_256</b> by defining <b>esp=camellia192-sha2_256-modp2048</b> +in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks +the established tunnel. diff --git a/testing/tests/ikev1/esp-alg-camellia/evaltest.dat b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat new file mode 100644 index 000000000..b2871dabd --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES +moon::ipsec statusall::ESP algorithm newest: CAMELLIA_192-HMAC_SHA2_256::YES +carol::ip xfrm state::enc cbc(camellia)::YES +moon::ip xfrm state::enc cbc(camellia)::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..fe74cc285 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes192-sha2_256-modp2048! + esp=camellia192-sha2_256! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..33871d484 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes192-sha2_256-modp2048! + esp=camellia192-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev1/esp-alg-camellia/posttest.dat b/testing/tests/ikev1/esp-alg-camellia/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev1/esp-alg-camellia/pretest.dat b/testing/tests/ikev1/esp-alg-camellia/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev1/esp-alg-camellia/test.conf b/testing/tests/ikev1/esp-alg-camellia/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ikev1/esp-alg-camellia/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev1/req-pkcs10/pretest.dat b/testing/tests/ikev1/req-pkcs10/pretest.dat index 18b8b16e6..cb4355efa 100644 --- a/testing/tests/ikev1/req-pkcs10/pretest.dat +++ b/testing/tests/ikev1/req-pkcs10/pretest.dat @@ -16,6 +16,7 @@ winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/ winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/ +carol::sleep 2 carol::ipsec start moon::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat index 1b8fc3b79..4ac57ab16 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/pretest.dat +++ b/testing/tests/ikev1/xauth-rsa-fail/pretest.dat @@ -2,3 +2,4 @@ carol::ipsec start moon::ipsec start carol::sleep 2 carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt new file mode 100644 index 000000000..24a4afe57 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CBC-256/AES_XCBC_96</b> by defining <b>esp=aes256-aesxcbc-modp2048</b> +in ipsec.conf. The same cipher suite is used for IKE: <b>ike=aes256-aesxcbc-modp2048</b>. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat new file mode 100644 index 000000000..853746cd4 --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat @@ -0,0 +1,9 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::rw.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES +carol::ipsec statusall::home.*IKE proposal.*AES_CBC-256/AES_XCBC_96/PRF_AES128_CBC/MODP_2048_BIT::YES +moon::ipsec statusall::rw.*AES_CBC-256/AES_XCBC_96,::YES +carol::ipsec statusall::home.*AES_CBC-256/AES_XCBC_96,::YES +moon::ip xfrm state::auth xcbc(aes)::YES +carol::ip xfrm state::auth xcbc(aes)::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf index 25f8ce8b2..edd0aaaf8 100755 --- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes256-sha256-modp2048! + ike=aes256-aesxcbc-modp2048! esp=aes256-aesxcbc-modp2048! conn home diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf index 303a49152..18618929f 100755 --- a/testing/tests/ikev2/esp-alg-aesxcbc/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf @@ -11,7 +11,7 @@ conn %default rekeymargin=3m keyingtries=1 keyexchange=ikev2 - ike=aes256-sha256-modp2048! + ike=aes256-aesxcbc-modp2048! esp=aes256-aesxcbc-modp2048! conn rw diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat index 94a400606..94a400606 100644 --- a/testing/tests/ikev2/esp-alg-aesxcbc/posttest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/posttest.dat diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat index f360351e1..f360351e1 100644 --- a/testing/tests/ikev2/esp-alg-aesxcbc/pretest.dat +++ b/testing/tests/ikev2/alg-aes-xcbc/pretest.dat diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/test.conf b/testing/tests/ikev2/alg-aes-xcbc/test.conf index 2b240d895..2b240d895 100644 --- a/testing/tests/ikev2/esp-alg-aesxcbc/test.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/test.conf diff --git a/testing/tests/ikev2/compress/description.txt b/testing/tests/ikev2/compress/description.txt new file mode 100644 index 000000000..47829839d --- /dev/null +++ b/testing/tests/ikev2/compress/description.txt @@ -0,0 +1,3 @@ +This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and +gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks +the established tunnel with compression. diff --git a/testing/tests/ikev2/compress/evaltest.dat b/testing/tests/ikev2/compress/evaltest.dat new file mode 100644 index 000000000..279033f2b --- /dev/null +++ b/testing/tests/ikev2/compress/evaltest.dat @@ -0,0 +1,10 @@ +moon::cat /var/log/daemon.log::IKE_AUTH request.*N(IPCOMP_SUPP)::YES +moon::cat /var/log/daemon.log::IKE_AUTH response.*N(IPCOMP_SUPP)::YES +carol::ipsec status::home.*INSTALLED::YES +moon::ipsec status::rw.*INSTALLED::YES +moon::ip xfrm state::proto comp spi::YES +carol::ip xfrm state::proto comp spi::YES +carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf index 52345af7c..670a50c00 100644..100755 --- a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/ipsec.conf @@ -1,17 +1,23 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file -version 2.0 # conforms to second version of ipsec.conf specification - config setup + crlcheckinterval=180 + strictcrlpolicy=no plutostart=no +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + conn home left=PH_IP_CAROL leftcert=carolCert.pem leftid=carol@strongswan.org right=PH_IP_MOON - rightcert=aliceCert.pem - rightid=alice@strongswan.org - rightsubnet=10.1.0.0/24 - keyexchange=ikev2 + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org auto=add diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..91abfd4da --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + compress=yes + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/compress/posttest.dat b/testing/tests/ikev2/compress/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ikev2/compress/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ikev2/compress/pretest.dat b/testing/tests/ikev2/compress/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ikev2/compress/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev2/nat-pf/test.conf b/testing/tests/ikev2/compress/test.conf index 21bece8e6..fd33cfb57 100644 --- a/testing/tests/ikev2/nat-pf/test.conf +++ b/testing/tests/ikev2/compress/test.conf @@ -5,11 +5,11 @@ # All UML instances that are required for this test # -UMLHOSTS="alice moon carol winnetou" +UMLHOSTS="moon carol winnetou" # Corresponding block diagram # -DIAGRAM="a-m-c-w.png" +DIAGRAM="m-c-w.png" # UML instances on which tcpdump is to be started # @@ -18,4 +18,5 @@ TCPDUMPHOSTS="moon" # UML instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="alice carol" +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf index 8458724c6..222673704 100755 --- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/ipsec.conf @@ -13,7 +13,6 @@ conn %default keyexchange=ikev2 right=PH_IP_MOON rightsubnet=10.1.0.0/16 - rightsourceip=PH_IP_MOON1 rightcert=moonCert.pem rightid=@moon.strongswan.org rightfirewall=yes diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf index bafd1b155..bb558fe25 100755 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/ipsec.conf @@ -13,7 +13,6 @@ conn %default keyexchange=ikev2 left=PH_IP_MOON leftsubnet=10.1.0.0/16 - leftsourceip=PH_IP_MOON1 leftcert=moonCert.pem leftid=@moon.strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-from-cache/evaltest.dat b/testing/tests/ikev2/crl-from-cache/evaltest.dat index 9aa53fb64..f15196024 100644 --- a/testing/tests/ikev2/crl-from-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-from-cache/evaltest.dat @@ -1,8 +1,10 @@ -moon::cat /var/log/daemon.log::loading crl file::YES -carol::cat /var/log/daemon.log::loading crl file::YES -moon::ipsec status::rw.*ESTABLISHED::YES -carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/auth.log::written crl file::NO -carol::cat /var/log/auth.log::written crl file::NO +moon::cat /var/log/daemon.log::loaded crl file::YES +moon::cat /var/log/daemon.log::crl is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec listcrls:: ok::YES +carol::cat /var/log/daemon.log::loaded crl file::YES +carol::cat /var/log/daemon.log::crl is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES carol::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*ESTABLISHED::YES +carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-ldap/evaltest.dat b/testing/tests/ikev2/crl-ldap/evaltest.dat index 05e818e21..d98df8c7c 100644 --- a/testing/tests/ikev2/crl-ldap/evaltest.dat +++ b/testing/tests/ikev2/crl-ldap/evaltest.dat @@ -1,12 +1,12 @@ -moon::cat /var/log/daemon.log::loading crl file::YES -carol::cat /var/log/daemon.log::loading crl file::YES +moon::cat /var/log/daemon.log::loaded crl file::YES moon::cat /var/log/daemon.log::crl is stale::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap::YES +moon::cat /var/log/daemon.log::crl is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::loaded crl file::YES carol::cat /var/log/daemon.log::crl is stale::YES -moon::cat /var/log/daemon.log::sending ldap request::YES -carol::cat /var/log/daemon.log::sending ldap request::YES +carol::cat /var/log/daemon.log::fetching crl from.*ldap::YES +carol::cat /var/log/daemon.log::crl is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::written crl file::YES -carol::cat /var/log/daemon.log::written crl file::YES -moon::ipsec listcrls:: ok::YES -carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-revoked/evaltest.dat b/testing/tests/ikev2/crl-revoked/evaltest.dat index 3d6cf72bb..2242746db 100644 --- a/testing/tests/ikev2/crl-revoked/evaltest.dat +++ b/testing/tests/ikev2/crl-revoked/evaltest.dat @@ -1,6 +1,5 @@ moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::end entity certificate is not trusted::YES -carol::cat /var/log/daemon.log::AUTHENTICATION_FAILED::YES -moon::ipsec listcrls:: ok::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-to-cache/evaltest.dat b/testing/tests/ikev2/crl-to-cache/evaltest.dat index 14edd946f..00489436e 100644 --- a/testing/tests/ikev2/crl-to-cache/evaltest.dat +++ b/testing/tests/ikev2/crl-to-cache/evaltest.dat @@ -1,4 +1,4 @@ moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES -carol::cat /var/log/daemon.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +moon::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/daemon.log::written crl to.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/default-keys/pretest.dat b/testing/tests/ikev2/default-keys/pretest.dat index fe68be4b5..88f9a2ca9 100644 --- a/testing/tests/ikev2/default-keys/pretest.dat +++ b/testing/tests/ikev2/default-keys/pretest.dat @@ -10,7 +10,7 @@ moon::rm /etc/ipsec.d/private/* moon::rm /etc/ipsec.d/certs/* moon::rm /etc/ipsec.d/cacerts/* moon::ipsec start -moon::sleep 3 +moon::sleep 5 moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der moon::ipsec reload diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/description.txt b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt new file mode 100644 index 000000000..cb08a9312 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_CCM_12-128</b> by defining <b>esp=aes128gcm12-modp2048</b> or alternatively +<b>esp=aes128gcm96-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat index 19b0b4378..dc5032133 100644 --- a/testing/tests/ikev2/esp-alg-aesxcbc/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat @@ -1,5 +1,5 @@ moon::ipsec statusall::rw.*INSTALLED::YES carol::ipsec statusall::home.*INSTALLED::YES -moon::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES -carol::ipsec statusall::AES_CBC-256/AES_XCBC_96::YES +moon::ipsec statusall::AES_CCM_12-128::YES +carol::ipsec statusall::AES_CCM_12-128::YES carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..85c825002 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ccm96-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..8f8404516 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-aesxcbc-modp2048! + esp=aes128ccm12-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/test.conf b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-ccm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/description.txt b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt new file mode 100644 index 000000000..721f3c64b --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite +<b>AES_GCM_16-256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively +<b>esp=aes256gcm128-modp2048</b> in ipsec.conf. +A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat new file mode 100644 index 000000000..8f007b900 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*INSTALLED::YES +moon::ipsec statusall::AES_GCM_16-256::YES +carol::ipsec statusall::AES_GCM_16-256::YES +carol::ping -c 1 -s 120 -p deadbeef 10.1.0.10::128 bytes from 10.1.0.10: icmp_seq=1::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..df2b7437d --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-aesxcbc-modp2048! + esp=aes256gcm128-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..661681105 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=yes + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-aesxcbc-modp2048! + esp=aes256gcm16-modp2048! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat new file mode 100644 index 000000000..f360351e1 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/test.conf b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ikev2/esp-alg-aes-gcm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-transport/evaltest.dat b/testing/tests/ikev2/host2host-transport/evaltest.dat index 2dd58c9d7..b3cade48c 100644 --- a/testing/tests/ikev2/host2host-transport/evaltest.dat +++ b/testing/tests/ikev2/host2host-transport/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::received USE_TRANSPORT_MODE notify::YES +moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES moon::ip xfrm state::mode transport::YES diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-db/description.txt b/testing/tests/ikev2/ip-pool-db/description.txt new file mode 100644 index 000000000..5cc500c98 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload +by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual IP +addresses from a pool named <b>bigpool</b> that was created in an SQL database by the command +<b>ipsec pool --name bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0</b>. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the client +<b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings will be the +virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/ip-pool-db/evaltest.dat b/testing/tests/ikev2/ip-pool-db/evaltest.dat new file mode 100644 index 000000000..07d17b338 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::assigning lease with new address from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b3413830f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=%bigpool + auto=add diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/ikev2/ip-pool-db/posttest.dat b/testing/tests/ikev2/ip-pool-db/posttest.dat new file mode 100644 index 000000000..5d26cbbbc --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::ipsec pool --del bigpool +moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat new file mode 100644 index 000000000..78ba3f581 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -0,0 +1,13 @@ +moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.255.254 --timeout 0 +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-db/test.conf b/testing/tests/ikev2/ip-pool-db/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-pool-wish/description.txt b/testing/tests/ikev2/ip-pool-wish/description.txt new file mode 100644 index 000000000..a5487169a --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/description.txt @@ -0,0 +1,11 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +Both <b>carol</b> and <b>dave</b> request the same <b>virtual IP</b> via the IKEv2 +configuration payload by using the <b>leftsourceip=PH_IP_DAVE1</b> parameter. On a first-come, +first-served basis, <b>dave</b> gets <b>PH_IP_DAVE1</b> from the simple address pool managed +by gateway <b>moon</b> and <b>carol</b> gets the first free address <b>PH_IP_CAROL1</b> +from the pool. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping +the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two +pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/ip-pool-wish/evaltest.dat b/testing/tests/ikev2/ip-pool-wish/evaltest.dat new file mode 100644 index 000000000..19e6783af --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/evaltest.dat @@ -0,0 +1,23 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::adding virtual IP address pool::YES +moon::cat /var/log/daemon.log::peer requested virtual IP PH_IP_DAVE1::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5f93b3987 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=PH_IP_DAVE1 + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..b58ba5460 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=PH_IP_DAVE1 + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..0b4cded6c --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool-wish/posttest.dat b/testing/tests/ikev2/ip-pool-wish/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool-wish/pretest.dat b/testing/tests/ikev2/ip-pool-wish/pretest.dat new file mode 100644 index 000000000..519c81a31 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +dave::ipsec start +carol::ipsec start +moon::ipsec start +dave::sleep 2 +dave::ipsec up home +carol::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/ip-pool-wish/test.conf b/testing/tests/ikev2/ip-pool-wish/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-pool-wish/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/ip-pool/description.txt b/testing/tests/ikev2/ip-pool/description.txt new file mode 100644 index 000000000..fc3f8c63a --- /dev/null +++ b/testing/tests/ikev2/ip-pool/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload +by using the <b>leftsourceip=%config</b> parameter. The gateway <b>moon</b> assigns virtual +IP addresses from a simple pool defined by <b>rightsourceip=10.3.0.0/28</b> in a monotonously +increasing order. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping +the client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two +pings will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/ip-pool/evaltest.dat b/testing/tests/ikev2/ip-pool/evaltest.dat new file mode 100644 index 000000000..15ca7426f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/evaltest.dat @@ -0,0 +1,23 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::adding virtual IP address pool::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..a19f6cfae --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..1a89f4e5d --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..0b4cded6c --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/28 + auto=add diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ip-pool/posttest.dat b/testing/tests/ikev2/ip-pool/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/ip-pool/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool/pretest.dat b/testing/tests/ikev2/ip-pool/pretest.dat new file mode 100644 index 000000000..014e80517 --- /dev/null +++ b/testing/tests/ikev2/ip-pool/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/ip-pool/test.conf b/testing/tests/ikev2/ip-pool/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/ikev2/ip-pool/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/mobike-nat/evaltest.dat b/testing/tests/ikev2/mobike-nat/evaltest.dat index 541b218d0..f2758eb35 100644 --- a/testing/tests/ikev2/mobike-nat/evaltest.dat +++ b/testing/tests/ikev2/mobike-nat/evaltest.dat @@ -10,7 +10,9 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_MOON::YES alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP::YES -moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP::YES +sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES +sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES +moon::tcpdump::moon.strongswan.org.*sun.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES +moon::tcpdump::sun.strongswan.org.*moon.strongswan.org.*: UDP-encap: ESP.*seq=0x2::YES bob::tcpdump::10.3.0.3.*bob.strongswan.org.*ICMP echo request::YES bob::tcpdump::bob.strongswan.org.*10.3.0.3.*ICMP echo reply::YES diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf index e9abfdac8..5c93d1462 100755 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/ipsec.conf @@ -14,7 +14,7 @@ conn %default conn mobike left=PH_IP_ALICE1 - leftsourceip=10.3.0.3 + leftsourceip=%config leftcert=aliceCert.pem leftid=alice@strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf index 6944749be..d6121511e 100755 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/ipsec.conf @@ -19,6 +19,6 @@ conn mobike leftfirewall=yes leftsubnet=10.2.0.0/16 right=%any - rightsourceip=%config + rightsourceip=10.3.0.3 rightid=alice@strongswan.org auto=add diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-nat/test.conf b/testing/tests/ikev2/mobike-nat/test.conf index 6467631e5..24a0cf3a4 100644 --- a/testing/tests/ikev2/mobike-nat/test.conf +++ b/testing/tests/ikev2/mobike-nat/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png" # UML instances on which tcpdump is to be started # -TCPDUMPHOSTS="bob moon" +TCPDUMPHOSTS="bob moon sun" # UML instances on which IPsec is started # Used for IPsec logging purposes diff --git a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat index 5be507d2e..94dea0b14 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat +++ b/testing/tests/ikev2/mobike-virtual-ip/evaltest.dat @@ -10,7 +10,9 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES alice::ipsec statusall::10.3.0.3/32 === 10.2.0.0/16::YES sun::ipsec statusall::10.2.0.0/16 === 10.3.0.3/32::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES -moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES +sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES +sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES +moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP.*seq=0x2::YES +moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP.*seq=0x2::YES bob::tcpdump::10.3.0.3.*bob.strongswan.org.*ICMP echo request::YES bob::tcpdump::bob.strongswan.org.*10.3.0.3.*ICMP echo reply::YES diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf index e9abfdac8..5c93d1462 100755 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/ipsec.conf @@ -14,7 +14,7 @@ conn %default conn mobike left=PH_IP_ALICE1 - leftsourceip=10.3.0.3 + leftsourceip=%config leftcert=aliceCert.pem leftid=alice@strongswan.org leftfirewall=yes diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf index 64a659f4f..18a67cde0 100755 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/ipsec.conf @@ -19,6 +19,6 @@ conn mobike leftfirewall=yes leftsubnet=10.2.0.0/16 right=PH_IP_ALICE1 - rightsourceip=%config + rightsourceip=10.3.0.3 rightid=alice@strongswan.org auto=add diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike-virtual-ip/test.conf b/testing/tests/ikev2/mobike-virtual-ip/test.conf index 6467631e5..24a0cf3a4 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/test.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png" # UML instances on which tcpdump is to be started # -TCPDUMPHOSTS="bob moon" +TCPDUMPHOSTS="bob moon sun" # UML instances on which IPsec is started # Used for IPsec logging purposes diff --git a/testing/tests/ikev2/mobike/evaltest.dat b/testing/tests/ikev2/mobike/evaltest.dat index 10bb37e42..6c49c0425 100644 --- a/testing/tests/ikev2/mobike/evaltest.dat +++ b/testing/tests/ikev2/mobike/evaltest.dat @@ -10,8 +10,10 @@ sun::ipsec statusall::ESTABLISHED.*PH_IP_SUN.*PH_IP_ALICE::YES alice::ipsec statusall::PH_IP_ALICE/32 === 10.2.0.0/16::YES sun::ipsec statusall::10.2.0.0/16 === PH_IP_ALICE/32::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdump::alice.strongswan.org.*sun.strongswan.org.*: ESP::YES -moon::tcpdump::sun.strongswan.org.*alice.strongswan.org.*: ESP::YES +sun::tcpdump::alice1.strongswan.org.*sun.strongswan.org: ESP.*seq=0x1::YES +sun::tcpdump::sun.strongswan.org.*alice1.strongswan.org: ESP.*seq=0x1::YES +moon::tcpdump::alice.strongswan.org.*sun.strongswan.org: ESP.*seq=0x2::YES +moon::tcpdump::sun.strongswan.org.*alice.strongswan.org: ESP.*seq=0x2::YES bob::tcpdump::alice1.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES bob::tcpdump::bob.strongswan.org.*alice1.strongswan.org.*ICMP echo reply::YES bob::tcpdump::alice.strongswan.org.*bob.strongswan.org.*ICMP echo request::YES diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/mobike/test.conf b/testing/tests/ikev2/mobike/test.conf index 6467631e5..24a0cf3a4 100644 --- a/testing/tests/ikev2/mobike/test.conf +++ b/testing/tests/ikev2/mobike/test.conf @@ -13,7 +13,7 @@ DIAGRAM="a-m-w-s-b.png" # UML instances on which tcpdump is to be started # -TCPDUMPHOSTS="bob moon" +TCPDUMPHOSTS="bob moon sun" # UML instances on which IPsec is started # Used for IPsec logging purposes diff --git a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat index 00cafc130..ca0bdba44 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-ldap/evaltest.dat @@ -1,11 +1,20 @@ -moon::cat /var/log/daemon.log::sending ldap request to::YES -moon::cat /var/log/daemon.log::received valid ldap response::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Research CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*Sales CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*ldap.*strongSwan Root CA::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES +carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES +moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES +dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES +moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO - diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1949d3abc --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = ldap aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat index 1e52d2273..3ac0adbb5 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca-revoked/evaltest.dat @@ -1,6 +1,4 @@ -moon::ipsec listcacerts --utc::status revoked on::YES moon::cat /var/log/daemon.log::certificate was revoked::YES -moon::cat /var/log/daemon.log::received end entity certificate is not trusted::YES moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::alice.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf index 9b331f0a9..ef1beae7e 100755 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -5,6 +5,11 @@ config setup strictcrlpolicy=yes plutostart=no +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + conn %default ikelifetime=60m keylife=20m diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index 6cb0bd8ae..e4eafe966 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -1,12 +1,20 @@ +moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES carol::ipsec status::alice.*INSTALLED::YES moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES carol::ipsec status::venus.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Sales CA::YES moon::cat /var/log/daemon.log::traffic selectors PH_IP_VENUS/32 === PH_IP_CAROL/32.*inacceptable::YES moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO dave::ipsec status::venus.*INSTALLED::YES moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES dave::ipsec status::alice.*INSTALLED::NO +moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES moon::cat /var/log/daemon.log::traffic selectors PH_IP_ALICE/32 === PH_IP_DAVE/32.*inacceptable::YES moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf index e1ee6e8d6..d0240a333 100755 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - charondebug="cfg 2" crlcheckinterval=180 strictcrlpolicy=no plutostart=no diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-double-snat/description.txt b/testing/tests/ikev2/nat-double-snat/description.txt deleted file mode 100644 index e0708898b..000000000 --- a/testing/tests/ikev2/nat-double-snat/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The roadwarrior <b>alice</b> sets up a connection to host <b>bob</b> using IKEv2. The hosts -sit behind NAT router <b>moon</b> (SNAT) and <b>sun</b> (SNAT) respectively. -UDP encapsulation is used to traverse the NAT router. -The authentication is based on locally loaded <b>X.509 certificates</b>. -In order to test the tunnel the NAT-ed host <b>alice</b> pings the host -<b>bob</b>. diff --git a/testing/tests/ikev2/nat-double-snat/evaltest.dat b/testing/tests/ikev2/nat-double-snat/evaltest.dat deleted file mode 100644 index 7a3dede42..000000000 --- a/testing/tests/ikev2/nat-double-snat/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -bob::ipsec statusall::rw-alice.*ESTABLISHED::YES -alice::ipsec statusall::home.*ESTABLISHED::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -moon::tcpdumpcount::IP moon.strongswan.org.* > bob.strongswan.org.ipsec-nat-t: UDP::2 -moon::tcpdumpcount::IP bob.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::2 diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 30a067bc9..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,16 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn home - left=PH_IP_ALICE - leftcert=aliceCert.pem - leftid=alice@strongswan.org - right=PH_IP_BOB - rightcert=bobCert.pem - rightid=bob@strongswan.org - keyexchange=ikev2 - auto=add diff --git a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem deleted file mode 100644 index 199d3eee2..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/alice/etc/ipsec.d/certs/bobCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB -AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY -27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB -fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg -xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF -ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E -5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ -BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl -+27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ -BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz -dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u -b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv -c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z -TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq -0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI -5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN -NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw -7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE -Mto= ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf deleted file mode 100644 index eaec3d642..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.conf +++ /dev/null @@ -1,20 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn %default - left=PH_IP_BOB - leftcert=bobCert.pem - leftid=bob@strongswan.org - leftsubnet=10.2.0.10/32 - keyexchange=ikev2 - -conn rw-alice - right=%any - rightcert=aliceCert.pem - rightid=alice@strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem deleted file mode 100644 index e99ae8ec7..000000000 --- a/testing/tests/ikev2/nat-double-snat/hosts/bob/etc/ipsec.d/certs/aliceCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz -MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer -GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 -FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W -6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH -v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc -KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG -A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa -60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 -cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu -Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo -2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ -AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 -D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S -CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi -6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re -JGhV ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-double-snat/posttest.dat b/testing/tests/ikev2/nat-double-snat/posttest.dat deleted file mode 100644 index 8ad7df96c..000000000 --- a/testing/tests/ikev2/nat-double-snat/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -alice::ipsec stop -bob::ipsec stop -alice::rm /etc/ipsec.d/certs/* -bob::rm /etc/ipsec.d/certs/* -moon::route del -net 10.2.0.0/16 -sun::route del -net 10.1.0.0/16 -moon::iptables -t nat -F -sun::iptables -t nat -F diff --git a/testing/tests/ikev2/nat-double-snat/pretest.dat b/testing/tests/ikev2/nat-double-snat/pretest.dat deleted file mode 100644 index da1d43c4e..000000000 --- a/testing/tests/ikev2/nat-double-snat/pretest.dat +++ /dev/null @@ -1,11 +0,0 @@ -sun::echo 1 > /proc/sys/net/ipv4/ip_forward -sun::route add -net 10.1.0.0/16 gw PH_IP_MOON -sun::iptables -t nat -A POSTROUTING -o eth1 -s 192.168.0.0/24 -p udp -j SNAT --to-source PH_IP_SUN1:4024-4100 -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::route add -net 10.2.0.0/16 gw PH_IP_SUN -moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 -bob::ipsec start -alice::ipsec start -alice::sleep 1 -alice::ipsec up home -alice::sleep 1 diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-pf/description.txt b/testing/tests/ikev2/nat-pf/description.txt deleted file mode 100644 index bb38af458..000000000 --- a/testing/tests/ikev2/nat-pf/description.txt +++ /dev/null @@ -1,4 +0,0 @@ -The roadwarrior <b>carol</b> sets up a connection to host <b>alice</b> sitting behind the NAT router <b>moon</b> -using IKEv2. Port Forwarding is used to publish host <b>alice</b>. UDP encapsulation is used to traverse the NAT router. -The authentication is based on locally loaded <b>X.509 certificates</b>. -In order to test the tunnel the roadwarrior <b>carol</b> pings the host <b>alice</b>. diff --git a/testing/tests/ikev2/nat-pf/evaltest.dat b/testing/tests/ikev2/nat-pf/evaltest.dat deleted file mode 100644 index 4d2950521..000000000 --- a/testing/tests/ikev2/nat-pf/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -alice::ipsec statusall::rw-carol.*ESTABLISHED::YES -carol::ipsec statusall::home.*ESTABLISHED::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdumpcount::IP carol.strongswan.org.* > moon.strongswan.org.ipsec-nat-t: UDP::2 -moon::tcpdumpcount::IP moon.strongswan.org.ipsec-nat-t > carol.strongswan.org.*: UDP::2 diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 836379494..000000000 --- a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,19 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -version 2.0 # conforms to second version of ipsec.conf specification - -config setup - plutostart=no - -conn %default - left=PH_IP_ALICE - leftcert=aliceCert.pem - leftid=alice@strongswan.org - leftsubnet=10.1.0.10/32 - keyexchange=ikev2 - -conn rw-carol - right=%any - rightcert=carolCert.pem - rightid=carol@strongswan.org - auto=add diff --git a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem b/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem deleted file mode 100644 index 8492fbd45..000000000 --- a/testing/tests/ikev2/nat-pf/hosts/alice/etc/ipsec.d/certs/carolCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh -cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX -T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl -vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii -S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW -LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM -YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC -MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD -j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL -MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT -EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz -d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u -b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI -U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM -2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE -HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd -hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG -C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK -omBYfxqp ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem b/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem deleted file mode 100644 index e99ae8ec7..000000000 --- a/testing/tests/ikev2/nat-pf/hosts/carol/etc/ipsec.d/certs/aliceCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz -MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer -GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 -FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W -6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH -v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc -KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG -A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa -60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG -A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 -cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu -Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn -L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo -2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ -AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 -D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S -CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi -6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re -JGhV ------END CERTIFICATE----- diff --git a/testing/tests/ikev2/nat-pf/posttest.dat b/testing/tests/ikev2/nat-pf/posttest.dat deleted file mode 100644 index bed4ae1b7..000000000 --- a/testing/tests/ikev2/nat-pf/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -carol::ipsec stop -alice::ipsec stop -carol::rm /etc/ipsec.d/certs/* -alice::rm /etc/ipsec.d/certs/* -moon::iptables -t nat -F diff --git a/testing/tests/ikev2/nat-pf/pretest.dat b/testing/tests/ikev2/nat-pf/pretest.dat deleted file mode 100644 index fdb3de711..000000000 --- a/testing/tests/ikev2/nat-pf/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::iptables -m multiport -t nat -A PREROUTING -i eth0 -p udp --dports 500,4500 -j DNAT --to 10.1.0.10 -alice::ipsec start -carol::ipsec start -carol::sleep 1 -carol::ipsec up home -carol::sleep 1 diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-psk/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat index 6b849b811..c08a17943 100644 --- a/testing/tests/ikev2/ocsp-local-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-local-cert/evaltest.dat @@ -1,8 +1,12 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status from::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat index 93d152f6b..768de938b 100644 --- a/testing/tests/ikev2/ocsp-multi-level/evaltest.dat +++ b/testing/tests/ikev2/ocsp-multi-level/evaltest.dat @@ -1,9 +1,9 @@ moon::ipsec listocspcerts::altNames.*ocsp.*strongswan.org::YES carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES dave::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES -dave::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::certificate status is good::YES +dave::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::YES carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat index f185536a6..939817d58 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/evaltest.dat @@ -1,5 +1,6 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received certificate is no ocsp signer - rejected::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response verification failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat index c6d6235f9..1af117cf0 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/posttest.dat @@ -1,2 +1,3 @@ moon::ipsec stop carol::ipsec stop +moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat index d92333d86..afb64c3ed 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-no-signer-cert/pretest.dat @@ -1,3 +1,4 @@ +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/ocsp-revoked/evaltest.dat b/testing/tests/ikev2/ocsp-revoked/evaltest.dat index eacb70c40..2c3196103 100644 --- a/testing/tests/ikev2/ocsp-revoked/evaltest.dat +++ b/testing/tests/ikev2/ocsp-revoked/evaltest.dat @@ -1,6 +1,7 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::certificate was revoked on::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature failed carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat index a3a1df194..5bb322acc 100644 --- a/testing/tests/ikev2/ocsp-root-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-root-cert/evaltest.dat @@ -1,6 +1,10 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::requesting ocsp status::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-signer-cert/description.txt b/testing/tests/ikev2/ocsp-signer-cert/description.txt index 492a9882b..7c7efb68e 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/description.txt +++ b/testing/tests/ikev2/ocsp-signer-cert/description.txt @@ -4,7 +4,7 @@ is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer ce issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b> extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b> in an authority information access extension pointing to <b>winnetou</b>. -Therefore no special ca section information is needed in ipsec.conf. +Therefore no special ca section information is needed in moon's ipsec.conf. <p> <b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since the status of both certificates is <b>good</b>. diff --git a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat index 4a8ffd412..f8bf0326a 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-signer-cert/evaltest.dat @@ -1,13 +1,12 @@ -moon::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES carol::ipsec listcainfos::ocspuris.*http://ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -carol::cat /var/log/daemon.log::received ocsp signer certificate is trusted::YES -moon::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -carol::ipsec listocspcerts::altNames.*ocsp.strongswan.org::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::requesting ocsp status::YES +moon::cat /var/log/daemon.log::ocsp response correctly signed by::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::requesting ocsp status::YES +carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf index f8abd6b59..4011a6c17 100755 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.conf @@ -5,6 +5,11 @@ config setup strictcrlpolicy=yes plutostart=no +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + conn %default keyexchange=ikev2 ikelifetime=60m diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat index 48f24aa8f..9f20ee81c 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat +++ b/testing/tests/ikev2/ocsp-strict-ifuri/evaltest.dat @@ -1,6 +1,7 @@ moon::cat /var/log/daemon.log::authentication of.*carol.*successful::YES -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::authentication of.*dave.*failed::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_SKIPPED::YES moon::ipsec status::ESTABLISHED.*carol::YES moon::ipsec status::ESTABLISHED.*dave::NO carol::ipsec status::ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat index 4c4059810..777c32699 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-good/evaltest.dat @@ -1,9 +1,13 @@ -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -carol::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::received valid http response::YES -carol::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::certificate is good::YES -carol::cat /var/log/daemon.log::certificate is good::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::ocsp request to.*ocsp2.strongswan.org:8880.*failed::YES +moon::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES +moon::cat /var/log/daemon.log::ocsp response is valid::YES +moon::cat /var/log/daemon.log::certificate status is good::YES +carol::cat /var/log/daemon.log::libcurl http request failed::YES +carol::cat /var/log/daemon.log::ocsp request to.*bob.strongswan.org:8800.*failed::YES +carol::cat /var/log/daemon.log::requesting ocsp status from.*ocsp.strongswan.org:8880::YES +carol::cat /var/log/daemon.log::ocsp response is valid::YES +carol::cat /var/log/daemon.log::certificate status is good::YES moon::ipsec status::rw.*ESTABLISHED::YES carol::ipsec status::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf index d95a322bd..ff312cc6b 100755 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.conf @@ -7,7 +7,8 @@ config setup ca strongswan-ca cacert=strongswanCert.pem - ocspuri2=http://bob.strongswan.org:8800 + ocspuri1=http://bob.strongswan.org:8800 + ocspuri2=http://ocsp.strongswan.org:8880 auto=add conn %default diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat index c9c09a72f..1b281507b 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/evaltest.dat @@ -1,5 +1,6 @@ -moon::cat /var/log/daemon.log::http post request using libcurl failed::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::libcurl http request failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed::YES carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat index a0b6d681f..b47403756 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/evaltest.dat @@ -1,5 +1,7 @@ -moon::cat /var/log/daemon.log::received valid http response::YES -moon::cat /var/log/daemon.log::received ocsp signer certificate is not trusted - rejected::YES -moon::cat /var/log/daemon.log::certificate status unknown::YES +moon::cat /var/log/daemon.log::requesting ocsp status from::YES +moon::cat /var/log/daemon.log::self-signed certificate.*is not trusted::YES +moon::cat /var/log/daemon.log::ocsp response verification failed::YES +moon::cat /var/log/daemon.log::certificate status is not available::YES +moon::cat /var/log/daemon.log::constraint check failed.*VALIDATION_FAILED.*VALIDATION_GOOD::YES moon::ipsec status::rw.*ESTABLISHED::NO carol::ipsec status::home.*ESTABLISHED::NO diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat index c6d6235f9..1af117cf0 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/posttest.dat @@ -1,2 +1,3 @@ moon::ipsec stop carol::ipsec stop +moon::iptables -F diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat index d92333d86..afb64c3ed 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat +++ b/testing/tests/ikev2/ocsp-untrusted-cert/pretest.dat @@ -1,3 +1,4 @@ +moon::iptables -I OUTPUT -d PH_IP_WINNETOU -p tcp --dport 80 -j DROP moon::ipsec start carol::ipsec start carol::sleep 2 diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf index c2fe02639..2af93a313 100755 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/ipsec.conf @@ -19,5 +19,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f699d5e27 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka +} diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf index dbf38160f..140e88912 100755 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/ipsec.conf @@ -20,5 +20,6 @@ conn rw-eapaka leftcert=moonCert.pem leftfirewall=yes rightid=*@strongswan.org + rightsendcert=never right=%any auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f699d5e27 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapaka +} diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/description.txt b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt new file mode 100644 index 000000000..a2ac00d80 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/description.txt @@ -0,0 +1,7 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +<b>carol</b> uses the <i>Extensible Authentication Protocol</i> +in association with an <i>MD5</i> challenge and response protocol +(<b>EAP-MD5</b>) to authenticate against the gateway. The user password +is kept in <b>ipsec.secrets</b> on both gateway and client +Gateway <b>moon</b> additionaly uses an <b>RSA signature</b> to authenticate itself +against <b>carol</b>. diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat new file mode 100644 index 000000000..5de841c03 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-eapaka.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2af93a313 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=eap + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..e03e89a0f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp01qlpOgb" diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..3a359eff2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5 +} diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..78bc23b4c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eapaka + authby=rsasig + eap=md5 + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftfirewall=yes + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..aa3838385 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp01qlpOgb" diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..3a359eff2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapmd5 +} diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat new file mode 100644 index 000000000..94a400606 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat new file mode 100644 index 000000000..ed5498bfe --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/test.conf b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf new file mode 100644 index 000000000..2bd21499b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-md5-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf index c2fe02639..2af93a313 100755 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/ipsec.conf @@ -19,5 +19,4 @@ conn home right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 - rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8812814d6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim +} diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf index 3f88b2ade..509deb945 100755 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/ipsec.conf @@ -21,4 +21,5 @@ conn rw-eapsim leftfirewall=yes rightid=*@strongswan.org right=%any + rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8812814d6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke fips-prf eapsim +} diff --git a/testing/tests/ikev2/rw-hash-and-url/description.txt b/testing/tests/ikev2/rw-hash-and-url/description.txt new file mode 100644 index 000000000..5e748d75e --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Instead of the certificates themselves, "Hash and URL" certificate payloads +are transferred and the certificates are fetched via http from web server <b>winnetou</b>. +<p> +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. +</p> diff --git a/testing/tests/ikev2/rw-hash-and-url/evaltest.dat b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat new file mode 100644 index 000000000..fe2a8d063 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/evaltest.dat @@ -0,0 +1,14 @@ +moon::cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES +moon::cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES +carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES +dave::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..77046eb7d --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://winnetou.strongswan.org/certs/ + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af0f9953b --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..febaf9be2 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://winnetou.strongswan.org/certs/ + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..af0f9953b --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..cbc60000a --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +ca strongswan + cacert=strongswanCert.pem + certuribase=http://winnetou.strongswan.org/certs/ + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..af0f9953b --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + hash_and_url = yes + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-hash-and-url/posttest.dat b/testing/tests/ikev2/rw-hash-and-url/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-hash-and-url/pretest.dat b/testing/tests/ikev2/rw-hash-and-url/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev2/rw-hash-and-url/test.conf b/testing/tests/ikev2/rw-hash-and-url/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev2/rw-hash-and-url/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat index 1ce38fc6a..236684c57 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/evaltest.dat @@ -3,7 +3,7 @@ moon::cat /var/log/daemon.log::authentication of 'PH_IP_MOON' (myself) with pre- moon::ipsec statusall::rw-psk.*INSTALLED::YES carol::ipsec statusall::home.*ESTABLISHED::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with RSA signature successful::YES -moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature::YES +moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES moon::ipsec statusall::rw-rsasig.*INSTALLED::YES dave::ipsec statusall::home.*ESTABLISHED::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat index 8c7d2e9ea..0e5bd03db 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat +++ b/testing/tests/ikev2/rw-psk-rsa-split/evaltest.dat @@ -1,6 +1,6 @@ moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES -moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature::YES +moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES moon::ipsec statusall::rw.*INSTALLED::YES carol::ipsec statusall::home.*ESTABLISHED::YES dave::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf index dc6f82923..da59dfdae 100755 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf @@ -15,6 +15,7 @@ conn %default conn home left=PH_IP_CAROL + leftsourceip=%config leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf index b09427d4c..f09d46c5b 100755 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf @@ -15,6 +15,7 @@ conn %default conn home left=PH_IP_DAVE + leftsourceip=%config leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf index a3bf042d4..fb4b9ed3a 100755 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf @@ -17,5 +17,6 @@ conn rw leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any + rightsourceip=10.3.0.0/28 rightsendcert=never auto=add diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 3421c6e0f..0598e1fb2 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -1,6 +1,7 @@ -moon::cat /var/log/daemon.log::candidate peer certificate was not successfully verified::YES -moon::cat /var/log/daemon.log::candidate peer certificate has a non-matching RSA public key::YES -moon::cat /var/log/daemon.log::candidate peer certificate has a matching RSA public key::YES +moon::cat /var/log/daemon.log::certificate was revoked::YES +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with RSA signature successful::YES +moon::cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with RSA signature successful::YES moon::ipsec statusall::carol.*ESTABLISHED::YES moon::ipsec statusall::dave.*ESTABLISHED::YES carol::ipsec statusall::home.*ESTABLISHED::YES diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf index eb6feb6e2..8800c7ad5 100755 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/ipsec.conf @@ -1,7 +1,6 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - charondebug="cfg 2" crlcheckinterval=180 strictcrlpolicy=yes plutostart=no diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt b/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt new file mode 100644 index 000000000..62fff0b30 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/description.txt @@ -0,0 +1,4 @@ +An IPv6 ESP tunnel connection between the gateways <b>moon</b> and <b>sun</b> is successfully set up. +It connects the two IPv4 subnets hiding behind their respective gateways. The authentication is based on +X.509 certificates. In order to test the IPv4-over-IPv6 ESP tunnel, client <b>alice</b> behind <b>moon</b> +sends an IPv4 ICMP request to client <b>bob</b> behind <b>sun</b> using the ping command. diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat new file mode 100644 index 000000000..76c138e63 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*INSTALLED::YES +sun::ipsec status::net.net.*INSTALLED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP::YES +sun::tcpdump::IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP::YES diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ddc965c01 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + crlcheckinterval=180 + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.1.0.0/16 + rightsubnet=10.2.0.0/16 + +conn host-host + left=PH_IP6_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + right=PH_IP6_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..b02136ffe --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + crlcheckinterval=180 + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + also=host-host + leftsubnet=10.2.0.0/16 + rightsubnet=10.1.0.0/16 + +conn host-host + left=PH_IP6_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + right=PH_IP6_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat new file mode 100644 index 000000000..dff181797 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat b/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat new file mode 100644 index 000000000..071827b66 --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf b/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf new file mode 100644 index 000000000..991d884db --- /dev/null +++ b/testing/tests/ipv6/net2net-ipv4-ikev2/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b-ip6.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..c252ebde6 --- /dev/null +++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke +} diff --git a/testing/tests/ipv6/transport-ikev2/evaltest.dat b/testing/tests/ipv6/transport-ikev2/evaltest.dat index 1ea5bcebe..f1e26e7ea 100644 --- a/testing/tests/ipv6/transport-ikev2/evaltest.dat +++ b/testing/tests/ipv6/transport-ikev2/evaltest.dat @@ -1,4 +1,4 @@ -moon::cat /var/log/daemon.log::received USE_TRANSPORT_MODE notify::YES +moon::cat /var/log/daemon.log::parsed IKE_AUTH response.*N(USE_TRANSP)::YES moon::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES sun::ipsec status::host-host.*INSTALLED.*TRANSPORT::YES moon::ip xfrm state::mode transport::YES diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/description.txt b/testing/tests/openssl/ecdsa-certs/description.txt new file mode 100644 index 000000000..2c098d898 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/description.txt @@ -0,0 +1,11 @@ +The hosts <b>carol</b>, <b>dave</b>, and <b>moon</b> use the <b>openssl</b> plugin +based on the <b>OpenSSL</b> library for all cryptographical functions. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>ECDSA signatures</b> +using <b>Elliptic Curve certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/ecdsa-certs/evaltest.dat b/testing/tests/openssl/ecdsa-certs/evaltest.dat new file mode 100644 index 000000000..a7243ce70 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/evaltest.dat @@ -0,0 +1,14 @@ +moon::cat /var/log/daemon.log::authentication of.*carol@strongswan.org.*with ECDSA-256 signature successful +moon::cat /var/log/daemon.log::authentication of.*dave@strongswan.org.*with ECDSA-384 signature successful +carol::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful +dave::cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ECDSA-521 signature successful +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4f6fdc567 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=ecdsasig + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..29709926a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7zCCAlGgAwIBAgIBBDAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYyOTE4WhcNMTMwNjIxMTYyOTE4WjBfMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +MjU2IGJpdDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25nc3dhbi5vcmcwWTATBgcqhkjO +PQIBBggqhkjOPQMBBwNCAAQgp/Z/GgzvVCDdVcIYqERml0KroZEaVqiF8uy8dlTS +4mxNs6snDdEWh/LzXTd3NVnCihT2XgHxOk8NrX4hBMMYo4IBFDCCARAwCQYDVR0T +BAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFLdhGhurno1dU2SMx7UGXpa/lgJ9 +MHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHuj9jSoUykSjBIMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEeMBwGA1UEAxMVc3Ryb25n +U3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHwYDVR0RBBgwFoEUY2Fyb2xAc3Ry +b25nc3dhbi5vcmcwPAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdz +d2FuLm9yZy9zdHJvbmdzd2FuX2VjLmNybDAJBgcqhkjOPQQBA4GMADCBiAJCATa+ +sBFW3vCx/JgLyxU85F2QuLO0/zdNBhIU0kN7kr1cYBBr8mpbhuNKm6iFe2DsFJZx +ii3DQjwvG46is2Njzi4vAkIA72lPodCDtAFpD/2PUxjzo6xTAFazUejobkdDTUXn +s0f8qIzzeQuTwLbp6pDmR/JGzhAeRvQT82njCo0PJ8Hbz1c= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..5f21c1012 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,8 @@ +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-128-CBC,F36088B0517117B50C1A436E5C84526E + +Zulq4O8x8i4P2I8+Ewe2pPJT8K2kzX9JjGhquFKaZdEG1YmXqIdMz41DA1b9cQjt +KJstY10Gzc/C6Hv9v/ljfplcnumYBFdFsqvQ/Z0xh/G9u/J1gXjghhrQCUXbFble +RVSwozA9IcCC9yQdhYyazF+85DR+p8AyQ5w2unOvuOk= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..4e53ef91a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3138458ed --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=ecdsasig + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..075d8f1e5 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,19 @@ +-----BEGIN CERTIFICATE----- +MIIDCTCCAmygAwIBAgIBAzAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTYxMzU5WhcNMTMwNjIxMTYxMzU5WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +Mzg0IGJpdDEcMBoGA1UEAxQTZGF2ZUBzdHJvbmdzd2FuLm9yZzB2MBAGByqGSM49 +AgEGBSuBBAAiA2IABPxEg8AaVNAwCXqg0p21Zc7YzPLA3voAWf233CZJpsjb1w3y +IeTUeIeGU7aLWAyuXgeBsx+lKzWy00LzPELOgK+3ulTHzBZg7s8kMGhwPWfV4JLA +zrso5+i64+Y4wvRCBaOCARMwggEPMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0G +A1UdDgQWBBQxJAy8gaP3RNBt1WTD27/IMzANmTB4BgNVHSMEcTBvgBS6XflxthO1 +atHduja3qtLB7o/Y0qFMpEowSDELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4 +IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3YW4gRUMgUm9vdCBDQYIJAPai +dX4i76aJMB4GA1UdEQQXMBWBE2RhdmVAc3Ryb25nc3dhbi5vcmcwPAYDVR0fBDUw +MzAxoC+gLYYraHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2Vj +LmNybDAJBgcqhkjOPQQBA4GLADCBhwJCAZaqaroyGwqd7nb5dVVWjTK8glVzDFJH +ru4F6R+7fDCGEOaFlxf4GRkSrvQQA8vfgo6Md9XjBwq0r+9s3xt5xJjJAkElSo1/ +wyn8KQ3XN07UIaMvPctipq2OgpfteQK/F81CtZ+YCLEQt3xT7NQpriaKwGQxJAQv +g+Z+grJzTppAqpwRpg== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..f628f88e5 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,6 @@ +-----BEGIN EC PRIVATE KEY----- +MIGkAgEBBDCF8kl4ftfgcvWH2myFxhc22CUT63uPy28fqUMibnpRS/wf/pfxIrVX ++BhxpUhWS2agBwYFK4EEACKhZANiAAT8RIPAGlTQMAl6oNKdtWXO2MzywN76AFn9 +t9wmSabI29cN8iHk1HiHhlO2i1gMrl4HgbMfpSs1stNC8zxCzoCvt7pUx8wWYO7P +JDBocD1n1eCSwM67KOfouuPmOML0QgU= +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..ebd3a2839 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA daveKey.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..892e0c39b --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + authby=ecdsasig + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..3480a434a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE----- +MIICyDCCAiqgAwIBAgIJAPaidX4i76aJMAkGByqGSM49BAEwSDELMAkGA1UEBhMC +Q0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHjAcBgNVBAMTFXN0cm9uZ1N3 +YW4gRUMgUm9vdCBDQTAeFw0wODA2MjIxNDM2MDZaFw0xODA2MjAxNDM2MDZaMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0EwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYA +BAEUx1NvjNKzbDHaRPMsqIf/6SbUpzBa78N/WIyF6rYj8e5McAqfTfzUfFJZYoQn +/mbP3VfjOxRuMDjrlfvdgMxwkwFDigWQfHg3CJbS7eQjjO1MrxxIJUtfSTnF29tM +h6IYMdxaZKloCGCOrpmGCGdxD2/KwoX1SA3BlnjaNt7kSTonkqOBujCBtzAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUul35cbYTtWrR3bo2 +t6rSwe6P2NIweAYDVR0jBHEwb4AUul35cbYTtWrR3bo2t6rSwe6P2NKhTKRKMEgx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQD +ExVzdHJvbmdTd2FuIEVDIFJvb3QgQ0GCCQD2onV+Iu+miTAJBgcqhkjOPQQBA4GM +ADCBiAJCAL5pU3X6NYWjOYe0cxrah27UxtUDLUNkFG/Ojl+gOH4QB0CKY0HXNyrq +cgba73dXF/U0Cg3Ij/9g4Kd9GgYq0GlSAkIAqgqMKqXni8wbeGMJE2Mn2/8aHM3Q +3flpHSoeNWOe/VzpRviw+VRgA4vbhhKUXBtQSiea77/DXLwOp5w7rkBoEUg= +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem new file mode 100644 index 000000000..5178c7f38 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDMDCCApKgAwIBAgIBATAJBgcqhkjOPQQBMEgxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMR4wHAYDVQQDExVzdHJvbmdTd2FuIEVDIFJv +b3QgQ0EwHhcNMDgwNjIyMTQ0MzA3WhcNMTMwNjIxMTQ0MzA3WjBeMQswCQYDVQQG +EwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEWMBQGA1UECxMNRUNEU0Eg +NTIxIGJpdDEcMBoGA1UEAxMTbW9vbi5zdHJvbmdzd2FuLm9yZzCBmzAQBgcqhkjO +PQIBBgUrgQQAIwOBhgAEALmnl/PUy9v7Qsc914kdzY+TQ6VY2192oRoa9SkpxXrs +5GnWSJoz3yinpPHdchH0UknKt/C2Ik2k7izDH/Zau5gNAD1PqBrYWtcP+sLnH1G9 +BTibraniAUSpSaDhiWrfTteRNWqkzZI37a6YfKcBZozQcvYMW1co15EwZTptqykX +Eepuo4IBEzCCAQ8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFDVU +Hzs47lOG0dHsezm6aFqdwJwfMHgGA1UdIwRxMG+AFLpd+XG2E7Vq0d26Nreq0sHu +j9jSoUykSjBIMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEeMBwGA1UEAxMVc3Ryb25nU3dhbiBFQyBSb290IENBggkA9qJ1fiLvpokwHgYD +VR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA8BgNVHR8ENTAzMDGgL6Athito +dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWMuY3JsMAkGByqG +SM49BAEDgYwAMIGIAkIBDgZs1pXvm8SwT9S1m6nIHwuZsJDsDri/PWM6NXdMUXEt +l0p8cfq8PbJlK/0+eLz8Ec1zpWuF5vasFHkVhauHdnECQgEVuYTrlry9gAx7G4kH +mne2yDxTclEDziWxPG4UkZbkGttf9eZlsXmNoX/Z/fojXxMYZaPqM3eOT2h6ezMD +CI9WpQ== +-----END CERTIFICATE----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..beab0485f --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,7 @@ +-----BEGIN EC PRIVATE KEY----- +MIHcAgEBBEIBrBxHEGICJRNkhm0HWfARp+dIzm6Lw7eCbQXNM6jSGL4DVNDVCV42 +yOKQqifWEcNWxO+wWtBaz91IF5hz/m4TbOGgBwYFK4EEACOhgYkDgYYABAC5p5fz +1Mvb+0LHPdeJHc2Pk0OlWNtfdqEaGvUpKcV67ORp1kiaM98op6Tx3XIR9FJJyrfw +tiJNpO4swx/2WruYDQA9T6ga2FrXD/rC5x9RvQU4m62p4gFEqUmg4Ylq307XkTVq +pM2SN+2umHynAWaM0HL2DFtXKNeRMGU6baspFxHqbg== +-----END EC PRIVATE KEY----- diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..1ef3eccb5 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: ECDSA moonKey.pem diff --git a/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ecdsa-certs/posttest.dat b/testing/tests/openssl/ecdsa-certs/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/ecdsa-certs/pretest.dat b/testing/tests/openssl/ecdsa-certs/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/ecdsa-certs/test.conf b/testing/tests/openssl/ecdsa-certs/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/ecdsa-certs/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/ike-alg-ecp-high/description.txt b/testing/tests/openssl/ike-alg-ecp-high/description.txt new file mode 100644 index 000000000..38606ca0b --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for +the Elliptic Curve Diffie-Hellman groups only. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +<b>carol</b> proposes the DH groups ECP_256 and ECP_384 whereas <b>dave</b> proposes +ECP_256 and ECP_521. Since <b>moon</b> does not support ECP_521 the roadwarriors +fall back to ECP_384 and ECP_521, respectively. +<p> +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat b/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat new file mode 100644 index 000000000..c9055f89c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::ECP_256_BIT.*ECP_384_BIT::YES +dave::cat /var/log/daemon.log::ECP_256_BIT.*ECP_521_BIT::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec statusall::home.*AES_CBC-192/AUTH_HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BIT::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*AES_CBC-256/AUTH_HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_521_BIT::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..0550a09b4 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp256,aes192-sha384-ecp384! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..22026fc36 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha512-ecp256,aes256-sha512-ecp521! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d9a94e19c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ffe13d259 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384,aes256-sha512-ecp521! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-high/posttest.dat b/testing/tests/openssl/ike-alg-ecp-high/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/ike-alg-ecp-high/pretest.dat b/testing/tests/openssl/ike-alg-ecp-high/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/ike-alg-ecp-high/test.conf b/testing/tests/openssl/ike-alg-ecp-high/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-high/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/ike-alg-ecp-low/description.txt b/testing/tests/openssl/ike-alg-ecp-low/description.txt new file mode 100644 index 000000000..4f043e7d9 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b> plus the <b>openssl</b> plugin for +the Elliptic Curve Diffie-Hellman groups only. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes +ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors +fall back to ECP_224 and ECP_256, respectively. +<p> +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat b/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat new file mode 100644 index 000000000..dc417c21f --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::ECP_192_BIT.*ECP_224_BIT::YES +dave::cat /var/log/daemon.log::ECP_192_BIT.*ECP_256_BIT::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +carol::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BIT::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*AES_CBC-128/AUTH_HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BIT::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..6a15b3f54 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp192,aes128-sha256-ecp224! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..b4bdf456f --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp192,aes128-sha256-ecp256! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d9a94e19c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..64ec0f12c --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp224,aes128-sha256-ecp256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/ike-alg-ecp-low/posttest.dat b/testing/tests/openssl/ike-alg-ecp-low/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/ike-alg-ecp-low/pretest.dat b/testing/tests/openssl/ike-alg-ecp-low/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/ike-alg-ecp-low/test.conf b/testing/tests/openssl/ike-alg-ecp-low/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/ike-alg-ecp-low/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl/rw-cert/description.txt b/testing/tests/openssl/rw-cert/description.txt new file mode 100644 index 000000000..0f721c52b --- /dev/null +++ b/testing/tests/openssl/rw-cert/description.txt @@ -0,0 +1,12 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical functions +whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp</b>. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl/rw-cert/evaltest.dat b/testing/tests/openssl/rw-cert/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/openssl/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..4a8baa3ae --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha1-modp1536! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..42f03aab3 --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..d67f07a1a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e84f2e6a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256-sha256-modp2048,3des-sha1-modp1536! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8c610d28a --- /dev/null +++ b/testing/tests/openssl/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl random x509 pubkey hmac stroke +} diff --git a/testing/tests/openssl/rw-cert/posttest.dat b/testing/tests/openssl/rw-cert/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/openssl/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/openssl/rw-cert/pretest.dat b/testing/tests/openssl/rw-cert/pretest.dat new file mode 100644 index 000000000..42e9d7c24 --- /dev/null +++ b/testing/tests/openssl/rw-cert/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl/rw-cert/test.conf b/testing/tests/openssl/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/openssl/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/p2pnat/behind-same-nat/evaltest.dat b/testing/tests/p2pnat/behind-same-nat/evaltest.dat index 0036e073f..e59334db9 100644 --- a/testing/tests/p2pnat/behind-same-nat/evaltest.dat +++ b/testing/tests/p2pnat/behind-same-nat/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec statusall::medsrv.*ESTABLISHED::YES venus::ipsec statusall::medsrv.*ESTABLISHED::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*F1ubAio8@medsrv.org::YES -alice::cat /var/log/daemon.log::received P2P_CALLBACK::YES -alice::ipsec statusall::p2p.*ESTABLISHED::YES -venus::ipsec statusall::p2p.*ESTABLISHED::YES -alice::ipsec statusall::p2p.*INSTALLED::YES -venus::ipsec statusall::p2p.*INSTALLED::YES +alice::cat /var/log/daemon.log::received ME_CALLBACK::YES +alice::ipsec statusall::peer.*ESTABLISHED::YES +venus::ipsec statusall::peer.*ESTABLISHED::YES +alice::ipsec statusall::peer.*INSTALLED::YES +venus::ipsec statusall::peer.*INSTALLED::YES alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables index 937486984..1eb88c15c 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/init.d/iptables @@ -25,7 +25,7 @@ start() { iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - # allow NAT-T including P2P + # allow NAT-T iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf index e481996f7..b47f157f6 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/ipsec.conf @@ -21,16 +21,16 @@ conn medsrv leftid=6cu1UTVw@medsrv.org right=PH_IP_CAROL rightid=carol@strongswan.org - p2p_mediation=yes + mediation=yes authby=psk auto=add -conn p2p +conn peer leftcert=aliceCert.pem leftid=alice@strongswan.org right=%any rightid=@venus.strongswan.org rightsubnet=PH_IP_VENUS/32 - p2p_mediated_by=medsrv - p2p_peerid=F1ubAio8@medsrv.org + mediated_by=medsrv + me_peerid=F1ubAio8@medsrv.org auto=start diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf index 712d888b1..e38922cf4 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/ipsec.conf @@ -21,5 +21,5 @@ conn medsrv leftid=carol@strongswan.org leftfirewall=yes right=%any - p2p_mediation=yes + mediation=yes auto=add diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables index 06d0ebca8..6fca87b4a 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/init.d/iptables @@ -25,7 +25,7 @@ start() { iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - # allow NAT-T including P2P + # allow NAT-T iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf index d21009353..3943c361e 100755 --- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/ipsec.conf @@ -22,15 +22,15 @@ conn medsrv right=PH_IP_CAROL rightid=carol@strongswan.org authby=psk - p2p_mediation=yes + mediation=yes auto=start -conn p2p +conn peer leftcert=venusCert.pem leftid=@venus.strongswan.org right=%any rightid=alice@strongswan.org rightsubnet=PH_IP_ALICE/32 - p2p_mediated_by=medsrv - p2p_peerid=6cu1UTVw@medsrv.org + mediated_by=medsrv + me_peerid=6cu1UTVw@medsrv.org auto=add diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/medsrv-psk/evaltest.dat b/testing/tests/p2pnat/medsrv-psk/evaltest.dat index b8280c325..ba14bb858 100644 --- a/testing/tests/p2pnat/medsrv-psk/evaltest.dat +++ b/testing/tests/p2pnat/medsrv-psk/evaltest.dat @@ -2,10 +2,10 @@ alice::ipsec statusall::medsrv.*ESTABLISHED::YES bob::ipsec statusall::medsrv.*ESTABLISHED::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_MOON.*6cu1UTVw@medsrv.org::YES carol::ipsec statusall::medsrv.*ESTABLISHED.*PH_IP_SUN.*v9oEPMz@medsrv.org::YES -alice::ipsec statusall::p2p.*ESTABLISHED::YES -bob::ipsec statusall::p2p.*ESTABLISHED::YES -alice::ipsec statusall::p2p.*INSTALLED::YES -bob::ipsec statusall::p2p.*INSTALLED::YES +alice::ipsec statusall::peer.*ESTABLISHED::YES +bob::ipsec statusall::peer.*ESTABLISHED::YES +alice::ipsec statusall::peer.*INSTALLED::YES +bob::ipsec statusall::peer.*INSTALLED::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES bob::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.*: UDP::YES diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables index 09b4cabfa..c6371c745 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/init.d/iptables @@ -21,7 +21,7 @@ start() { iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - # allow NAT-T including P2P + # allow NAT-T iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf index 370934ce7..99a50d5d8 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/ipsec.conf @@ -21,16 +21,16 @@ conn medsrv leftid=6cu1UTVw@medsrv.org right=PH_IP_CAROL rightid=carol@strongswan.org - p2p_mediation=yes + mediation=yes authby=psk auto=add -conn p2p +conn peer leftcert=aliceCert.pem leftid=alice@strongswan.org right=%any rightid=bob@strongswan.org rightsubnet=PH_IP_BOB/32 - p2p_mediated_by=medsrv - p2p_peerid=av9oEPMz@medsrv.org + mediated_by=medsrv + me_peerid=av9oEPMz@medsrv.org auto=start diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf index 8d8d9391f..39dee8521 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/ipsec.conf @@ -22,15 +22,15 @@ conn medsrv right=PH_IP_CAROL rightid=carol@strongswan.org authby=psk - p2p_mediation=yes + mediation=yes auto=start -conn p2p +conn peer leftcert=bobCert.pem leftid=bob@strongswan.org right=%any rightid=alice@strongswan.org rightsubnet=PH_IP_ALICE/32 - p2p_mediated_by=medsrv - p2p_peerid=6cu1UTVw@medsrv.org + mediated_by=medsrv + me_peerid=6cu1UTVw@medsrv.org auto=add diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf index 712d888b1..e38922cf4 100755 --- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/ipsec.conf @@ -21,5 +21,5 @@ conn medsrv leftid=carol@strongswan.org leftfirewall=yes right=%any - p2p_mediation=yes + mediation=yes auto=add diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca22de61f --- /dev/null +++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke +} diff --git a/testing/tests/sql/ip-pool-db-expired/description.txt b/testing/tests/sql/ip-pool-db-expired/description.txt new file mode 100644 index 000000000..754c19d83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> start a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon assigns expired virtual IP addresses from a pool named <b>bigpool</b> +predefined in the SQL database. +<p> +Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/sql/ip-pool-db-expired/evaltest.dat b/testing/tests/sql/ip-pool-db-expired/evaltest.dat new file mode 100644 index 000000000..5d9d9441a --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::reassigning address from expired lease from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*1h.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..8671f3070 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,171 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'bigpool' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, next, timeout +) VALUES ( + 'bigpool', X'0a030001', X'0a03fffe', X'0a030003', 3600 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030001', 7, 1211299013 , 1211299205 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030002', 6, 1211299031, 1211299187 +); diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-expired/posttest.dat b/testing/tests/sql/ip-pool-db-expired/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-pool-db-expired/pretest.dat b/testing/tests/sql/ip-pool-db-expired/pretest.dat new file mode 100644 index 000000000..c83449eaf --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/pretest.dat @@ -0,0 +1,19 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --leases +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-expired/test.conf b/testing/tests/sql/ip-pool-db-expired/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-expired/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/ip-pool-db-restart/description.txt b/testing/tests/sql/ip-pool-db-restart/description.txt new file mode 100644 index 000000000..83e48ae57 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> restart a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon reassigns the static and reserved virtual IP addresses +from a pool named <b>bigpool</b> predefined in the SQL database. +<p> +Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/sql/ip-pool-db-restart/evaltest.dat b/testing/tests/sql/ip-pool-db-restart/evaltest.dat new file mode 100644 index 000000000..5db30da40 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::reassigning address from valid lease from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..d250628e7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,171 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'bigpool' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, next, timeout +) VALUES ( + 'bigpool', X'0a030001', X'0a03fffe', X'0a030003', 0 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030001', 6, 1211299013 , 1211299205 +); + +INSERT INTO leases ( + pool, address, identity, acquired, released +) VALUES ( + 1, X'0a030002', 7, 1211299031, 1211299187 +); diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db-restart/posttest.dat b/testing/tests/sql/ip-pool-db-restart/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-pool-db-restart/pretest.dat b/testing/tests/sql/ip-pool-db-restart/pretest.dat new file mode 100644 index 000000000..4ecf6347a --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/pretest.dat @@ -0,0 +1,19 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --leases +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +dave::ipsec up home +carol::ipsec up home diff --git a/testing/tests/sql/ip-pool-db-restart/test.conf b/testing/tests/sql/ip-pool-db-restart/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-pool-db-restart/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/ip-pool-db/description.txt b/testing/tests/sql/ip-pool-db/description.txt new file mode 100644 index 000000000..92fca6ebd --- /dev/null +++ b/testing/tests/sql/ip-pool-db/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration +payload. The gateway moon assigns virtual IP addresses from a pool named <b>bigpool</b> +predefined in the SQL database. +<p> +Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/sql/ip-pool-db/evaltest.dat b/testing/tests/sql/ip-pool-db/evaltest.dat new file mode 100644 index 000000000..07d17b338 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::ipsec status::home.*INSTALLED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave::ip addr list dev eth0::PH_IP_DAVE1::YES +dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave::ipsec status::home.*INSTALLED::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::cat /var/log/daemon.log::peer requested virtual IP %any::YES +moon::cat /var/log/daemon.log::assigning lease with new address from pool.*bigpool::YES +moon::cat /var/log/daemon.log::assigning virtual IP::YES +moon::ipsec pool --status::bigpool.*10.3.0.1.*10.3.255.254.*static.*2::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.1,id=carol@strongswan.org::online::YES +moon::ipsec pool --leases --filter pool=bigpool,addr=10.3.0.2,id=dave@strongswan.org::online::YES +moon::ipsec status::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec status::rw.*ESTABLISHED.*dave@strongswan.org::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ca813d44f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5233806c7 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, virtual +) VALUES ( + 'home', 1, 3, 5, '0.0.0.0' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..b7585f56b --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,147 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, pool +) VALUES ( + 'rw', 1, 3, 5, 'bigpool' +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + +/* Pools */ + +INSERT INTO pools ( + name, start, end, next, timeout +) VALUES ( + 'bigpool', X'0a030001', X'0a03fffe', X'0a030001', 0 +); diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/ip-pool-db/posttest.dat b/testing/tests/sql/ip-pool-db/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/ip-pool-db/pretest.dat b/testing/tests/sql/ip-pool-db/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/ip-pool-db/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/ip-pool-db/test.conf b/testing/tests/sql/ip-pool-db/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/sql/ip-pool-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/net2net-cert/description.txt b/testing/tests/sql/net2net-cert/description.txt new file mode 100644 index 000000000..eca79f0bf --- /dev/null +++ b/testing/tests/sql/net2net-cert/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, automatically inserted iptables-based firewall rules +let pass the tunneled traffic. In order to test both tunnel and firewall, client <b>alice</b> +behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/sql/net2net-cert/evaltest.dat b/testing/tests/sql/net2net-cert/evaltest.dat new file mode 100644 index 000000000..e67c39a08 --- /dev/null +++ b/testing/tests/sql/net2net-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..a5e0afcd7 --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike +) VALUES ( + 'net-net', 1, 3, 4, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 1 +); + diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..0d772ef10 --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,138 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 202, X'da9c6fa72dc33363ac09b99af29085bedd48dc27' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'3082040b308202f3a003020102020102300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313535335a170d3039303930393131313535335a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b30190603550403131273756e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e43c7e807d879059f76800e499104c936ea05e85033a2af751a1ed3a36eff83be29d35f92527b126817cf98d7c6a786af752130cb6756300ffbba3d036def0c10ab2c373b69d0942e6e9dacee7f26aeb40b1aca81e98012d3d97be570e34b7caa4c202d1f5903e33025fe3fc0c9e401b8b4780b2244982feba83dff6bea6be3609a963b85060051a424d4a54e2696c95949eceff70bbad4fc131716fc5439411d477f9709174e12a0537b848564712da8694a57441a68934e6c77d24fd76ce305da71ce6c41ede4463db9644619b8fcd5945688d93474db5ba677941effcdbdd58b739f7533c70418441d596d974d56cbd8637aeeaf217731a022f6fb4093cc70203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604143dc4b9320816f242645eb74bef575160eb3e6ad8306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301d0603551d1104163014821273756e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010019042ba2201ad12c30849a6b19dece33eadf0490066ec6b70cfcc509f1d7d51ee26720ecf5aa61d432be22051adfbec4bf553ba01d0495da663a8249ba00a3b4d2dfa56dedd515c11112ff41fa4edbe54f5addd27d9d0eab8f238aa0753152cc6513c22026444234f8b09dc762ce59bae72ebe8c5e331deb4381f152d1ed303dd2e4934cc05162397023c88cab4e56fb62e4494d3e6113e466b3c1944395e7b7bcca67bc9fa122c5cf2d3f70b14f750bc4240ef0f1cace0c26690e010a547572516bb2b753b8e8ddf27547c3727289a10f475879b7c426c37b1e4c1d39ef9b59644adc7bd4218ced313a54fcb4dbc525ad2c3426a130095c2cb5e8b670ccf080'); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'308204a30201000282010100e43c7e807d879059f76800e499104c936ea05e85033a2af751a1ed3a36eff83be29d35f92527b126817cf98d7c6a786af752130cb6756300ffbba3d036def0c10ab2c373b69d0942e6e9dacee7f26aeb40b1aca81e98012d3d97be570e34b7caa4c202d1f5903e33025fe3fc0c9e401b8b4780b2244982feba83dff6bea6be3609a963b85060051a424d4a54e2696c95949eceff70bbad4fc131716fc5439411d477f9709174e12a0537b848564712da8694a57441a68934e6c77d24fd76ce305da71ce6c41ede4463db9644619b8fcd5945688d93474db5ba677941effcdbdd58b739f7533c70418441d596d974d56cbd8637aeeaf217731a022f6fb4093cc702030100010282010023a787a38ef8a486496e07e5ae3bab9ac4876cfc9e7a71c7dd0accc2715e9f8acb65ffce820d67513a9d4966deeecb0cfac1e993ecd4fdb8643aede6530c14d43355a5cee7d234662d288f340f6c0163eae156b594c1ee3d2108198604041c4a1ddee90ddfacbeeabd0e39d1602f40988cf388994bade836def0470686d609949ff93a8f7e32e2a5240f915fcc684591e9330d2e786d11b08e14c0ed70543c072c74da083dc8a1a2480b5f071d03c97a2c11ac938f0737b3be09839d878c5bea84389ac80f103de90c8328411a6da9c3d0eb2d6a25a88cfc3f12bdd5f6653166fdb8768e51af726e6c586f157520d1aaaf6bd180a2e0a950cc0d60380cab31e102818100f5d01511e82f46b166e15ea10bd080c324ba7e23aac7f974c5ddf9e17bf857abd1ea7eab2b00c592ff7a038b0c1fe99d35fe8cc3314508d5bdcd957b9e8108bc0c8f01cee333bb7f1e6b79338d438837b4449a562847509448f6a9df05a9c6386150c41ff4dd721c08be8587943dacca45bb7a8b1e098e66604a103780a2c23f02818100edb1efa9d6b3d92a06f65ca3f0ccfb5ed8636192de6b12aeedca6a3f96eacee45291516f89bd162a825fc2c7b0ccee610879dff32303dd6a78029d856283765df57f8d0c87be5a4c964c6ff9b537f7f1cba2c761cca6ce26caeef646c109a0111c05626afdcedc97d5dbf1be73047a9cf08d8dc4ec21caad12950eee439f53790281800a60d9b2e2d9b42363539a9a34147e8b3eaebd0aa67840f9042da6123618bb22deff06901585b7d1c8058fc6bc2150ccb96de0e590dbf84e85effb22b8037ca9ebe1d1d2b95702d090293b79c8ba14333de2339df59f65308d901485fd0838fd426695913fd665adf7548bf0b87a8e241023a53de06bc8de5bac64d8e30e7c2302818100b4ba4445d88faaa0ffe6360e18bb62ad7cce23946e34ef61be3fd7853e148ef69fa90a484a6c50fc4560d652cb252662f4f4e5c892690fe332189af89e2ce2c51232c7662d9818447f4ae320f41ef8110b0a5b9b0ae6117d0173ac21a408d381eed251409476c2d757ae02231284e74d88c1b877702b49554af9b6fe86c00fd10281807709b9327a76fefb7af5b730564f463147db9a6291ee343d69922e00ade4f576e4344bd941b4a4ebadbb26cdf5b8902b9bf7efbff7183ede38bf9a7311ce0e35a699f784156d18949d6851bfcff0d96ab129c7bd4a08a9adb82664d74bf5f38e0c501457f3a34735ff524b746eabe422d35b11ead44848389b28c1396b0b35ff'); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike +) VALUES ( + 'net-net', 1, 4, 3, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-cert/posttest.dat b/testing/tests/sql/net2net-cert/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-cert/pretest.dat b/testing/tests/sql/net2net-cert/pretest.dat new file mode 100644 index 000000000..2ab18542f --- /dev/null +++ b/testing/tests/sql/net2net-cert/pretest.dat @@ -0,0 +1,12 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/nat-double-snat/test.conf b/testing/tests/sql/net2net-cert/test.conf index 1ca2ffe5a..d9a61590f 100644 --- a/testing/tests/ikev2/nat-double-snat/test.conf +++ b/testing/tests/sql/net2net-cert/test.conf @@ -10,12 +10,12 @@ UMLHOSTS="alice moon winnetou sun bob" # Corresponding block diagram # DIAGRAM="a-m-w-s-b.png" - + # UML instances on which tcpdump is to be started # -TCPDUMPHOSTS="moon" +TCPDUMPHOSTS="sun" # UML instances on which IPsec is started # Used for IPsec logging purposes # -IPSECHOSTS="alice bob" +IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/net2net-psk/description.txt b/testing/tests/sql/net2net-psk/description.txt new file mode 100644 index 000000000..7c645b94f --- /dev/null +++ b/testing/tests/sql/net2net-psk/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful +establishment of the IPsec tunnel, automatically inserted iptables-based firewall rules +let pass the tunneled traffic. In order to test both tunnel and firewall, client <b>alice</b> +behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/sql/net2net-psk/evaltest.dat b/testing/tests/sql/net2net-psk/evaltest.dat new file mode 100644 index 000000000..e67c39a08 --- /dev/null +++ b/testing/tests/sql/net2net-psk/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..aa6e84c48 --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,90 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'bfe364c58f4b2d9bf08f8a820b6a3f806ad60c5d9ddb58cb' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method, mobike +) VALUES ( + 'net-net', 1, 1, 2, 2, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 1 +); + diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..7c2865fd8 --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'bfe364c58f4b2d9bf08f8a820b6a3f806ad60c5d9ddb58cb' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method, mobike +) VALUES ( + 'net-net', 1, 2, 1, 2, 0 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'net-net', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a02ffff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/net2net-psk/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/net2net-psk/posttest.dat b/testing/tests/sql/net2net-psk/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-psk/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-psk/pretest.dat b/testing/tests/sql/net2net-psk/pretest.dat new file mode 100644 index 000000000..2ab18542f --- /dev/null +++ b/testing/tests/sql/net2net-psk/pretest.dat @@ -0,0 +1,12 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/sql/net2net-psk/test.conf b/testing/tests/sql/net2net-psk/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/sql/net2net-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/rw-cert/description.txt b/testing/tests/sql/rw-cert/description.txt new file mode 100644 index 000000000..ee706e053 --- /dev/null +++ b/testing/tests/sql/rw-cert/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/sql/rw-cert/evaltest.dat b/testing/tests/sql/rw-cert/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/sql/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ef9c228e1 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 202, X'985c23660cd9b9a7554da6a4aa31ea02230fd482' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=carol@strongswan.org */ + 1, 1, X'308204223082030aa00302010202010a300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3035303130313231343331385a170d3039313233313231343331385a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a06370203010001a38201063082010230090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604145535eca6eba279baef887f18438fd227b16746d1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010405000382010100b1304a7e65d72573468853e8cedd398bf3581cc1e6b4054b9c8d97c3caf0929035dc5e274e7b3fa5fef52e7860bb06aab5ba40c5f1ca55806b4cd873f133ded948b3c89cc81621e2eadee5fc893b48a34e4462a45ab09c41200918f68ea36babfacf4099aa349b8b65841eb1e416b90e4eb462edd786cdb0008565633a701fcd2c416ae8e4754c5bea3181736179aa901e5526c4fac031ce649d851c85ded514c25e3269b0739a879d273950e1a9ea8341b5e1049c07181792ad37da02aeccd555c56469e8e15a9e72860b520dbec05662d37adb08d79575e133f338b0116198fa5fb556fe02682bd634aca535f6750b0daa123f5ad36f2e67caa260587f1aa9' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ + 1, X'308204a30201000282010100b81b84920408e086c8d278d3ad2e9ffc01b89e8c423b612b908010f8174ff96f6729e84b185fb96e60783082c507ace9d64f79beb0252e05e5f1f7a89a0b33e6789f5deb665084cb230191c165bcad1a34563e011b349bb6ab517f01ecf7e2f4de961d36203b85e97811cb26b650cfd014d15dd2d2b71efd656e5638a24bf70986b8128bbae5f3b428d6360e03d3f4e816502e3d1d14d7165ab1a92a9fe15ef045d4e48ff5bd798ec80c9420962c9a9798b54a0ed2a00cf2c9651d7d9882e181c1ef6b1c43edcada2fd191e109962dbd26f38a00208c1ac3ed27a5924c60330c79878eb5c7a90960a6472f979aca9c5aee2bb4d0aed395b546c5e361910a063702030100010282010100a7870abc1f85c061858dd7baae24f61947abaa41f0e6bd85f9c83f28b175e980d0bc168f76cf6c199f18def3afbc4b40c0edb2d7accb3834cfc7bd57234d3c5de4b707ac737ea3478144255079761581f9cbdc41ff72809ad90ba069ad2ae7cf7057e29ee4f7a4e40c890c75de826c8768da16e9072af0bd1db6282902ade34cb1b9c3fdd00a8f0330328e18d477009ac5a43952fe05b7257b8b4e7f8f5288e858ef56ea3a031980d38b879e6327d949a8f3c19bf379c1297b3defc0a374a6ea6f1c0e8124247c33392ae446081f486f58bb41cbcba25915d37eefe0828408f7f679841588424ef59b6dee30805b926fa80e7ff57cb4817167ca72bf51c8cf9102818100da567b0cbbc426e4455ffdd1b8013644d9f47785b05b163a0155c81d57c0cd84fe73aa75125caf116de50b7adc369707ed91127db7d4422bb08cff5ddf91f4a0e5fb264e098fe6fe62f8a2ab933eeac41893f365d8165f79143855b5a5b7dc31c9b34a9d453ee7c8d7b24f89e3ed51bfeadc2e1102308a967b241dfb44c8ad6902818100d7dd78437c533a15fd1dd6b0634334e79c31d215017f5a8869e42cbada3fb09167585e087e72f91575441f7cca9a64246df57f0e45f1ae86a289a4307586aa1cc3cd069c65057cc3b0baac3634064e53179bde9af2531a5af2770a1d7ccbdc263f18299ad2ec0d224b718002633a546af74c7cac72ccdf253ab4370137bf829f02818063b2f5c15cc43716296fa9d167fa75b37eeb18e0dd24dac365f4abca6a55ca031ec5e6624b1e337afbf9890273282253267206458df9c8b5768b0bd8ebcc142e9c95d069f607d5ecf7789d9f473f85a841a8dd8df5dc518052715f01f14841ae22725271fa3abd5082de135fddca7277f660d05047f5ae73048bfb7ccf6deb7102818028b2b4ade48ebc70d0dc03521624e1a0992e3b71826ac462dbb40d4add430cc31d3ce7ddaa197b24b48b37748bae381b363006d8660f7edc1b60dff7d2f0a4b9efa0841290694c7088ad69327ef48167e1179e0c908b6278ab260e5e28dd36906f6cdacb39e10f48dbf8762dfd0f4e432c84db2c98285019f0cb7163656351f902818042a7d7d7f9416b3f3b50cf5815dfbc249cd3572e494c76d1ae99dc1e8bc63fbb32e5c18d5c4f90681e9046999cdcf0826f904350b9d67227f606382d9c7b3b1332d22744b2cefa691ab82dbec8e976a406b0902d0f4889392f80d39e2581ac42feed9085964650485e34811b04fa1f34c47cde5cbdd1d20f30111851a3c187ca' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..5a4bbd5c0 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 202, X'f651b7ea33148cc5a76a622f1c1eb16c6bbdea25' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=dave@strongswan.org */ + 1, 1, X'308204223082030aa003020102020108300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131323635315a170d3039303930393131323635315a305b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e31133011060355040b130a4163636f756e74696e67311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b69622864450203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414de90b5d11c6c643c7450d36af8886ca31938fb72306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d0101040500038201010027a2d727384d2d2432f2f15875fa7693db3af1c7d5317cc21e1658f0843a918875d22c301b08e9c05a8aa3f02f6b8ae6705bb508988210f494fd19d92db786db21c1b6e6b18c0b7baa3fbd427da033fd2c08659daf9bc26dd99cf348c1ec139a9b8c32110199eaea08913f6b3a3d5b0c3d2a6f1f7e2c45b13452858949db416493f96dbf93e2173d81f99bc937b0c0c9e3874f4a90626a571295502ff5cf553dcdbdd7d4673dcbecc8ebbfc3e3ac0ce8a75120d6aa3dd2b6e9a61114cfbf0cba137c5934eddb32cfb96dd02fbf8adc903afa5f8d5959fce7a94fdd9e5a7a3816e35126e50fe7f818887bd2b2365b6b3a86d36a86849e9582d193e6a20b513988' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ + 1, X'308204a40201000282010100c66c299463a8a78abef5ffa45679b7a070b5139834b146aa5138d0f1d8845412e112e4429ceeab23473e395e8aa38b2c024118d85b7ddf504118eabedf9c793bd02c949d6799cabeefe03ff62e304ddec98313afd966bcf13f1fb1a619548a060e17fbede205225b574e679adc9f11bdf9e36b48bea058d360d62b8445f9524db98757a4d59865363c675d28667a5dfa967dd03eea23a2dbea32ab0e9a1f8bb885f5e12723113843a12dd00552fcd4f548b31174aab2610e4a8752f6fca95494584db65cc7bd1ef50ee0d8c8211efb5063a995801cc0c1a903042b7ff7c94094a0de5d7390a8f72a01949cd958c6f2012692bd5dba6f30b09c3c0b696228644502030100010282010100903fb9caa2d8cd5454974a0e12bfd1fad5750e95ac58e462954194c4fcfed690130844e1186d7a04df9a20e2d62f26d20ba17f8a6a990b6bb0a788a0d2b7527b654fc38adaf2372eaffc7b036178c4639e63a84042f02993c8ac25ddf6b43ad34413b396b0a5c2e05c8c274db1ee025bf5fa9ad7fb9d5e75ed044606974835c7fbc39ae84b80acaae9e9624e6fe8ac0ca318ad8a7d1c6ed3a79261464e6ebdb9c02ef20cb1c206c58718d542ed9cb1428c5c3cebbd58dc25598bbdd9924c75fdfeac881949e5f10a7dd4dc25800bdb4bd479ca0bfb706f25847361b2d2565a412813273691b4a3a5a814dce52cdbe25d626e6c9e000ecd6a75cac275187e265102818100e596d3ee25cd98563b12bf718c0ce7e7a823ae8c84f1021552b6b0bf220b7e012861510ab49d612fe7ba05a202edf4927201af0f33f4137481811f884fc46723f94db8ed69b283376f3141ad7e6f0f52afee60e537111c5bd94642564981a822e54edb6797521fb5870c772993ff517ea9c24adcd9dc502f1364d26a3f05ec4f02818100dd3f81e8a4f463488db2b048f2ef208c1c98ee136636b6449cbd3424c93ab25916908823a1ef3a23b4798c77f92a3e29b9469f8014c6b862e23ab5fe6000f9552de01f72c0a1fcc731b0867a3bf1d27596fc9da6ecd74931ce120b1687d2a67b4e4fb32b7fb750b46645aa38ab011a4d5fedd53d20e5ae3a4a5551b6cc5f5d2b02818100ba744b9954ca2bb59c341596398f21a7593de13bed9b6d7db3b6fac3befa6652ba608e588b6664cf6afa00291b07f5601986948d5c3c14b0c19c03e7c82051433dec890b06941b4ca1d8f6e5d7908a7934b7fba92b9791d86614513b9266e20db4fcdde2bb59ceb6b5fec1a7dab1b7958e786424082a8c542f03ea7eaec038b1028180055e2312b7ddce02d69d3d35a7df3154f4e4a8f2038ad44539e0454197383b5779faabb2e19ce236378cb361bdc3ce9a488a74183168d8d45d54bb519e96a775ef94fe6e544a19cde360bb02802dcfc356946e66bc5c44c456918d7f507045e5bbf2a710291b13742cff07b03445e49377fe572c127e4009ddffcfe9b56fa2dd02818040d41f525d885c951dca35924f46e4e7f4e43f4ea2e670230deb674884f5b8599a368b1647dd87523c4fdb62661f6543edecc9ce48d4a7b8b2a29de21fd438a9cf4823b92c85180b390c4f8dfbc196628d349fed1edd32cba5c063e2739d2153d3677d4815e55b8b4e9d0989b32cf0060de2ded4cd59edf6a4364cb55aff9276' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..67570add2 --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,140 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'rw', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-cert/posttest.dat b/testing/tests/sql/rw-cert/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/rw-cert/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/rw-cert/pretest.dat b/testing/tests/sql/rw-cert/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/rw-cert/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-cert/test.conf b/testing/tests/sql/rw-cert/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-psk-ipv4/description.txt b/testing/tests/sql/rw-psk-ipv4/description.txt new file mode 100644 index 000000000..547008f74 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> +and IPv4 addresses. Upon the successful establishment of the IPsec tunnels, +automatically inserted iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping the +client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/sql/rw-psk-ipv4/evaltest.dat b/testing/tests/sql/rw-psk-ipv4/evaltest.dat new file mode 100644 index 000000000..06a0f8cda --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..a5ff52d65 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.1 */ + 1 , X'c0a80001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.100 */ + 1 , X'c0a80064' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..ac39472f3 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.1 */ + 1 , X'c0a80001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.200 */ + 1 , X'c0a800c8' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..231b84cb9 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,114 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.1 */ + 1 , X'c0a80001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.100 */ + 1 , X'c0a80064' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* 192.168.0.200 */ + 1 , X'c0a800c8' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 3 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'rw', 1, 1, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv4/posttest.dat b/testing/tests/sql/rw-psk-ipv4/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/rw-psk-ipv4/pretest.dat b/testing/tests/sql/rw-psk-ipv4/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv4/test.conf b/testing/tests/sql/rw-psk-ipv4/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-psk-ipv6/description.txt b/testing/tests/sql/rw-psk-ipv6/description.txt new file mode 100644 index 000000000..d8f6805de --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/description.txt @@ -0,0 +1,6 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up an IPv6 tunnel connection each +to gateway <b>moon</b>. The authentication is based on distinct <b>pre-shared keys</b> +and IPv6 addresses. Upon the successful establishment of the IPsec tunnels automatically +inserted ip6tables-based firewall rules let pass the tunneled traffic. In order to test +both tunnel and firewall, both <b>carol</b> and <b>dave</b> send an IPv6 ICMP request +to client <b>alice</b> behind the gateway <b>moon</b> using the ping6 command. diff --git a/testing/tests/sql/rw-psk-ipv6/evaltest.dat b/testing/tests/sql/rw-psk-ipv6/evaltest.dat new file mode 100644 index 000000000..cee1853c4 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +dave::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES +moon::tcpdump::IP6 ip6-carol.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-carol.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-dave.strongswan.org > ip6-moon.strongswan.org: ESP::YES +moon::tcpdump::IP6 ip6-moon.strongswan.org > ip6-dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..8cbb82d71 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::1 */ + 5 , X'fec00000000000000000000000000001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::10 */ + 5 , X'fec00000000000000000000000000010' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP6_CAROL', 'PH_IP6_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* fec1::/16 */ + 8, X'fec10000000000000000000000000000', X'fec1ffffffffffffffffffffffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/128 */ + 8 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..87055a216 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,84 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::1 */ + 5 , X'fec00000000000000000000000000001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::20 */ + 5 , X'fec00000000000000000000000000020' + ); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP6_DAVE', 'PH_IP6_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 2, 1, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* fec1::/16 */ + 8, X'fec10000000000000000000000000000', X'fec1ffffffffffffffffffffffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/128 */ + 8 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..25074a0f1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/init.d/iptables @@ -0,0 +1,107 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv6/conf/all/forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + /sbin/ip6tables -P INPUT DROP + /sbin/ip6tables -P OUTPUT DROP + /sbin/ip6tables -P FORWARD DROP + + # allow esp + ip6tables -A INPUT -i eth0 -p 50 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + ip6tables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + ip6tables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + ip6tables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow last UDP fragment + ip6tables -A INPUT -i eth0 -p udp -m frag --fraglast -j ACCEPT + + # allow ICMPv6 neighbor-solicitations + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-solicitation -j ACCEPT + + # allow ICMPv6 neighbor-advertisements + ip6tables -A INPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + ip6tables -A OUTPUT -p icmpv6 --icmpv6-type neighbor-advertisement -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # log dropped packets + ip6tables -A INPUT -j LOG --log-prefix " IN: " + ip6tables -A OUTPUT -j LOG --log-prefix " OUT: " + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/ip6tables -t filter -P INPUT ACCEPT + /sbin/ip6tables -t filter -P FORWARD ACCEPT + /sbin/ip6tables -t filter -P OUTPUT ACCEPT + + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/ip6tables -F -t $a + /sbin/ip6tables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..2479bea12 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,114 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::1 */ + 5 , X'fec00000000000000000000000000001' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::10 */ + 5 , X'fec00000000000000000000000000010' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* fec0::20 */ + 5 , X'fec00000000000000000000000000020' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 2 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 1 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 3 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP6_MOON', '0::0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'rw', 1, 1, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* fec1::/16 */ + 8, X'fec10000000000000000000000000000', X'fec1ffffffffffffffffffffffffffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/128 */ + 8 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1a4ac234e --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = aes des sha1 sha2 md5 gmp random hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-ipv6/posttest.dat b/testing/tests/sql/rw-psk-ipv6/posttest.dat new file mode 100644 index 000000000..bdfd9ed00 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +alice::"ip route del fec0:\:/16 via fec1:\:1" +carol::"ip route del fec1:\:/16 via fec0:\:1" +dave::"ip route del fec1:\:/16 via fec0:\:1" +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/rw-psk-ipv6/pretest.dat b/testing/tests/sql/rw-psk-ipv6/pretest.dat new file mode 100644 index 000000000..253438dbf --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/pretest.dat @@ -0,0 +1,21 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::"ip route add fec0:\:/16 via fec1:\:1" +carol::"ip route add fec1:\:/16 via fec0:\:1" +dave::"ip route add fec1:\:/16 via fec0:\:1" +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-ipv6/test.conf b/testing/tests/sql/rw-psk-ipv6/test.conf new file mode 100644 index 000000000..80cf5e3a1 --- /dev/null +++ b/testing/tests/sql/rw-psk-ipv6/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-ip6.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/rw-psk-rsa-split/description.txt b/testing/tests/sql/rw-psk-rsa-split/description.txt new file mode 100644 index 000000000..23080964a --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The roadwarriors' authentication is based on +<ib>Pre-Shared Keys</b> (PSK) whereas the gateway uses an <b>RSA signature</b> +(RSASIG) certified by an X.509 certificate. +Upon the successful establishment of the IPsec tunnels, automatically inserted +iptables-based firewall rules let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/sql/rw-psk-rsa-split/evaltest.dat b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat new file mode 100644 index 000000000..0e5bd03db --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/evaltest.dat @@ -0,0 +1,12 @@ +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with pre-shared key successful::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with pre-shared key successful::YES +moon::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' (myself) with RSA signature successful::YES +moon::ipsec statusall::rw.*INSTALLED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..31c6bf81f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,116 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 4 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 3, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..e12ca449d --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,117 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 4 +); + + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, auth_method +) VALUES ( + 'home', 1, 3, 4, 2 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..4f66841fa --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,191 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 202, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 202, X'd70dbd46d5133519064f12f100525ead0802ca95' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'3082040d308202f5a003020102020103300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131313732355a170d3039303930393131313732355a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001a38201053082010130090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414e5e410876c2ac4bead854942a6de7658303a9fc1306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d010104050003820101002f2f2921667aa576bb0c71b601dfa5b358a93e84e8a1af9754ddfbfc67879cb6c6b7833c5749e7c30b11a87b3549e105dda5d371c459f7d40fabd60c4ac8623924be84c96cfa638eb6ce9f6513b9d61080b895d270c405eacc310c709a613b6f61029c94f535ac5836b890be402ad2c52f01f7fd4bff8c0cc0cbea9720ef21c0bb41fb0726852a3c38563d917fdcca186dede6fbc83febd9edf0541382464ee378f7b8c9684df0d2402b07eb11dd4a886ab5e7299d99ea2686994746c2d9c00d95b02b2950d67f7978c6db5b379c4a3170239c414cf743bab866005366809690073a150e73c6866b9b335616acdbd3a8e651596dedb686b5d8d3eeb12df9d729' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100afae2e109ac0a71b437b6f1a9e5194d085c999fe2c8de11b261f016c88e734eb1a6767b15bc7d8338bf3acc14e8a18bf857fd3dfbce637e9b0d3654f15d9068bdf4450517cf72651be8d4c8ff738ea961b2f5584bf7089afaa0a37b94910d18083bf649a7d395a41f04e68f14494d10ffc7d984a2c81e97f3421c1ec38c629b2456a3d8f3bf3915e86317ea71bb24422bef475e677e8967670b4f6ee2a80a45adcbd086a6537ab5fc12bf69f9072b620020de1880cec6cdea47543d1fec4c5ff547ac2447a1e210d9c128dc3337726eb63d5c1c731aa2c63ce175dbc8ebfb9c1e5198815be473781c3f82c2b59d23deb9739dda53c98d31a3fba57760aeaa89b0203010001028201004080550d67a42036945a377ab072078f5fef9b0885573a34fb941ab3bcb816e7d2f3f050600049d2f3296e5e32f5e50c3c79a852d74a377127a915e329845b30f3b26342e7fcde26d92d8bd4b7d23fdf08f02217f129e2838a8ce1d4b78ce33eaa2095515b74b93cc87c216fa3dc77bdc4d86017ababaf0d3318c9d86f27e29aa3301f6d7990f6f7f71db9de23ac66800ba0db4f42bbe82932ca56e08ba730c63febaf2779198cee387ee0934b32a2610ab990a4b908951bb1db2345cf1905f11aeaa6d1b368b7f82b1345ad14544e11d47d6981fc4be083326050cb950363dad1b28dbc16db42ec0fa973312c7306063bc9f308a6b0bcc965e5cb7e0b323ca102818100e71fffd9c9a528bdcb6e9ad1a5f4b354e3ea337392784aac790b4fba7f46b3b58d55965573f6493b686375cf6a0c68da9379434b055b625f01d64a9f1934cb075b25db5ef568325039674d577590b5ec54284842e04c27c97103a151805c9b620a3df84181e3a0c10752a7da6cac9629471a2bc85b32c3a160f3a8adf2d783d302818100c2968f5baf0d246bb9671b1dcfadab3a23cd6f9f1cba8c4b0d9b09d6c30a24eec174f22a4d9d2818d760b79a61c9cdd1381487723a99773a629b58171a6e28706bf083700f35037a0cb0649c9359987ccf77b44b4b3d94c614c74537c7025b503dc9967095411ecaec4b4427bc39dd5dfccbb8bab5d92e9465ab11e5e05d7319028181008b306e388e837461b89dc786f256c7991c18f31b6ade1eba77bb242cc071a7d0726954bbe9b62cac26559fa165d04b6536e3146f9dae4733c83b717d1705003051e81e90b56226cac18740c0a7009b4ed3efde74c7f7950e6f8d2c1d951c30477ebb8b428822b9b105e3f54a49a0365e6d7f895683f5b273019c3bbd663dfc190281807f5def6e12b1a682407405a2c8ba2356c5f2853a7fa2778bf4d6e364c87b4e5b5d138023427438b7b1da63b35088b808570dd0ee6afee2b4bbb074c382905235ebe11d176f4cc2fed3696e21b2ad358b947d04ed37cd9220e99ed966be0383e38cddf373b3ae514a7fca704d15fe46306bf4a8f0c570e7f5486ae6273269d89902818031055903f23c7db8da8951aad134c83a7ca951c48c9a7b994f36d9815bc82c80527b6da8e4beff9fee67b1fde5064719a40448bd6d70d9da8910122402835a328e74cfd34e8b568c29fae6ff831ef824fc825e609547a06052a4113ec09f00649bb7b7d195a773f11711c88f152b10a1b4ae58bb6d8bfc176e39f96c7c0de5c8' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 3 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +/* Shared Secrets */ + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'16964066a10de938bdb2ab7864fe4459cab1' +); + +INSERT INTO shared_secrets ( + type, data +) VALUES ( + 1, X'8d5cce342174da772c8224a59885deaa118d' +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 1, 6 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 3 +); + +INSERT INTO shared_secret_identity ( + shared_secret, identity +) VALUES ( + 2, 7 +); + + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote, certreq +) VALUES ( + 'PH_IP_MOON', '0.0.0.0', 0 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'rw', 1, 3, 5 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5a35561ba --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 gmp random x509 pubkey hmac xcbc stroke sqlite sql +} diff --git a/testing/tests/sql/rw-psk-rsa-split/posttest.dat b/testing/tests/sql/rw-psk-rsa-split/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/rw-psk-rsa-split/pretest.dat b/testing/tests/sql/rw-psk-rsa-split/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/rw-psk-rsa-split/test.conf b/testing/tests/sql/rw-psk-rsa-split/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/rw-psk-rsa-split/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" |