diff options
Diffstat (limited to 'testing/tests')
539 files changed, 8567 insertions, 0 deletions
diff --git a/testing/tests/alg-blowfish/description.txt b/testing/tests/alg-blowfish/description.txt new file mode 100644 index 000000000..cff0a1915 --- /dev/null +++ b/testing/tests/alg-blowfish/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and +<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-blowfish/evaltest.dat b/testing/tests/alg-blowfish/evaltest.dat new file mode 100644 index 000000000..a9c9b803a --- /dev/null +++ b/testing/tests/alg-blowfish/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..fa68c9d3d --- /dev/null +++ b/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=blowfish256-sha2_512-modp4096! + esp=blowfish256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..39916a7ba --- /dev/null +++ b/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=blowfish256-sha2_512-modp4096! + esp=blowfish256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-blowfish/posttest.dat b/testing/tests/alg-blowfish/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-blowfish/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-blowfish/pretest.dat b/testing/tests/alg-blowfish/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/alg-blowfish/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-blowfish/test.conf b/testing/tests/alg-blowfish/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-blowfish/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/alg-serpent/description.txt b/testing/tests/alg-serpent/description.txt new file mode 100644 index 000000000..f49c0a1c0 --- /dev/null +++ b/testing/tests/alg-serpent/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and +<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-serpent/evaltest.dat b/testing/tests/alg-serpent/evaltest.dat new file mode 100644 index 000000000..6b792538b --- /dev/null +++ b/testing/tests/alg-serpent/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5d2369924 --- /dev/null +++ b/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=serpent256-sha2_512-modp4096! + esp=serpent256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7bdddf008 --- /dev/null +++ b/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=serpent256-sha2_512-modp4096! + esp=serpent256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-serpent/posttest.dat b/testing/tests/alg-serpent/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-serpent/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-serpent/pretest.dat b/testing/tests/alg-serpent/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/alg-serpent/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-serpent/test.conf b/testing/tests/alg-serpent/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-serpent/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/alg-sha2_256/description.txt b/testing/tests/alg-sha2_256/description.txt new file mode 100644 index 000000000..900fcf017 --- /dev/null +++ b/testing/tests/alg-sha2_256/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the rather strong cipher suite +<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and +<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-sha2_256/evaltest.dat b/testing/tests/alg-sha2_256/evaltest.dat new file mode 100644 index 000000000..9b4caa278 --- /dev/null +++ b/testing/tests/alg-sha2_256/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c55ae8ab1 --- /dev/null +++ b/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes128-sha2_256-modp1536! + esp=aes128-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..748b1b85c --- /dev/null +++ b/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha2_256-modp1536! + esp=aes128-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-sha2_256/posttest.dat b/testing/tests/alg-sha2_256/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-sha2_256/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-sha2_256/pretest.dat b/testing/tests/alg-sha2_256/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/alg-sha2_256/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-sha2_256/test.conf b/testing/tests/alg-sha2_256/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-sha2_256/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/alg-twofish/description.txt b/testing/tests/alg-twofish/description.txt new file mode 100644 index 000000000..0015561ee --- /dev/null +++ b/testing/tests/alg-twofish/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and +<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-twofish/evaltest.dat b/testing/tests/alg-twofish/evaltest.dat new file mode 100644 index 000000000..0568eec6e --- /dev/null +++ b/testing/tests/alg-twofish/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..8e3037a3b --- /dev/null +++ b/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=twofish256-sha2_512-modp4096! + esp=twofish256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..01004e94e --- /dev/null +++ b/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=twofish256-sha2_512-modp4096! + esp=twofish256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-twofish/posttest.dat b/testing/tests/alg-twofish/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-twofish/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-twofish/pretest.dat b/testing/tests/alg-twofish/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/alg-twofish/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-twofish/test.conf b/testing/tests/alg-twofish/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-twofish/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/attr-cert/description.txt b/testing/tests/attr-cert/description.txt new file mode 100644 index 000000000..b7f809c36 --- /dev/null +++ b/testing/tests/attr-cert/description.txt @@ -0,0 +1,7 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b> +is granted to members of the group 'Research' whereas <b>venus</b> can only +be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors +<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting', +respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b> +can reach <b>venus</b>.
\ No newline at end of file diff --git a/testing/tests/attr-cert/evaltest.dat b/testing/tests/attr-cert/evaltest.dat new file mode 100644 index 000000000..59f6eb76a --- /dev/null +++ b/testing/tests/attr-cert/evaltest.dat @@ -0,0 +1,12 @@ +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::alice.*peer matches group 'Research'::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::venus.*peer doesn't match any group::YES +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::venus.*peer matches group 'Accounting'::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::alice.*peer doesn't match any group::YES +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..62fc49868 --- /dev/null +++ b/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..9d932dc54 --- /dev/null +++ b/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..bd72715ff --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightgroups=Research + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightgroups="Accounting, Sales" + auto=add + diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem new file mode 100644 index 000000000..3c5c5d91d --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv +cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI +wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6 +dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC +fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB +CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf +NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC +AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6 +5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq +Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh +QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry +b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg +CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR +aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY +ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw +YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v +Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov +wTLSA/z7c8nVCVoZI9Y= +-----END CERTIFICATE----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem new file mode 100644 index 000000000..209b48f3a --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvYLOjgx2zonPXkNainoTFYjBa33NTxe7/+jDUXQp/1rgMuOj +yo76SbeDJsHI1BC/UutnV6r7zYbLhFhdTUWeELp1zxqhsOZRCRj/y5he1SZ68oXl +BxthyIMunTVbWrQM40CVz/3Ca8laG+Oz2K1Y4EJ8BRwfd5Q28yCRzuGVBOqt5lMf +jPInozngmJuROzJ9WD/XI5PjXNRTdv68j+v2Q0EJhynYOt2F3FfqYSJJPIMD84yW +C8JruQ+KdQvgUm1A4UGjMKwZwPbw40tzwBuSCB80AFcJyU9UBc5NrAkXd1FZwyEi +U0tbFYxVG8S3k6QAR3L+ZcYG+1UCuYaeYD7zNwIDAQABAoIBAQCCGgsz+dqWcIWs +cRD3gFcZsYkYAoWwhtrKFUIB6X3rkLfaN+16Yi3x7cpcES2OaPDwPCv2Q6warS+K +7B8hrWmWkmvOgrn+eB+p3z+8xh5UttYxKTrSZjn7LhQSWU8eNf2jBfPTlqKi3Ni/ +zNLrLhaV3w7Fc0knDtmqj/GJ1dQ4SrUpME3sREpWbGSzjJ2UsR7iqQiDsYwWHzK2 +nWWwzrSmpObhDR3jiyOwBy/DEjXRC7h0fUL8eBghJvLWgFgifI5Z36FXa0FasxQr +zKZnQdwuJHqQz7+sVjAmKtNd7x7RE5Ii0oQYiWDFr0OAwKD5UfMNydpcOVC/bV2n +SKWmguoBAoGBAO73MTPP9ne4cfC7t4k2+F9hkb7mAjAbk9GbTyZyEKSDKH2bL02W +G4kXdlkvZVgKhIDg8PCouRSQKv2IxubDrarFURb5KMJlyfBV1Q8JSxpVtxK69clq +yIu/AtiiBE/n11MdmdoJLr6l2nNStJummj2jw5OyN8sdJarf83rCy+ITAoGBAMsF +IfivZ+Tueavy0tGRb1qqKalIhwzLBRmWCna39bB9rK4eTNio5Oes95mC7t8mslmO +18enKUTO87svWLzo8NVYIKSqg5B+kIN44hROErlV6HHPVd5vJzZFjH7SSfy5y8Ka +wmsA1xiG6NEgEndc6F6uQ2YdaZAHWFO6CiTNpq7NAoGADXglb9QzAkCFO5p5F+Tf +TxEC1A3G5ctII7JrXbFkOsGh0KKkoezqFGocI57GSZYeLd1/9zCrbftKUQwamftB +mLSSg4b7wylVnpRX9AcEErHuJcIgBIBeWXIkyO0o7RAWVPsAJwgJeHmEvKdWwsc7 +PmoypeqPtoUoEF+bK7o7H70CgYAYlYaHlrX+AuK4766XsgTJ9dEVrrKr2enEL2cU ++THHLXC7pO+pTMprQ4a4ECLc4tK2BZYblyJoMqdRA2q7dXm0W/eX+Q31cV4OjZTS +4KFj0ANVxMWhKdSVvdZFhTFwaQ9DgXoJexCQ58VJjZiu25FH5dJDi0w9JKaNfPm9 +eym0AQKBgHhfqD9EXxazoP27NyZAFUSA3r4u06qFjbAEjbuJVAJNSuEu6Sht2uIg +lCHpTPssDLHVSY0faQwY4vPqJZVg0k/rAu2VlvbJxYrdzXr8eTfPRJrhv/s/Tbro +n1rmisBKov1P2Cu2e03a8+GDO3lpSZr9YNG/e7wggSbfAvqCoUDF +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem new file mode 100644 index 000000000..8492fbd45 --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX +T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl +vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii +S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW +LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM +YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD +j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI +U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM +2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE +HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd +hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG +C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK +omBYfxqp +-----END CERTIFICATE----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem new file mode 100644 index 000000000..abd1554e5 --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 +bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx +2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2 +LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE +RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF +UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/ +98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB +ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq ++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy +8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9 +Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR +P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV +UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt +0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT +5qILUTmI +-----END CERTIFICATE----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf new file mode 100644 index 000000000..134218eec --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf @@ -0,0 +1,4 @@ +--cert /etc/ipsec.d/aacerts/aaCert.pem +--key /etc/openac/aaKey.pem +--quiet +--hours 8 diff --git a/testing/tests/attr-cert/posttest.dat b/testing/tests/attr-cert/posttest.dat new file mode 100644 index 000000000..a59c3ff63 --- /dev/null +++ b/testing/tests/attr-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/openac/* +moon::rm /etc/ipsec.d/aacerts/aaCert.pem +moon::rm /etc/ipsec.d/acerts/* diff --git a/testing/tests/attr-cert/pretest.dat b/testing/tests/attr-cert/pretest.dat new file mode 100644 index 000000000..b3fecaf3c --- /dev/null +++ b/testing/tests/attr-cert/pretest.dat @@ -0,0 +1,12 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::cat /etc/openac/default.conf +moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem +moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/attr-cert/test.conf b/testing/tests/attr-cert/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/attr-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/compress/description.txt b/testing/tests/compress/description.txt new file mode 100644 index 000000000..47829839d --- /dev/null +++ b/testing/tests/compress/description.txt @@ -0,0 +1,3 @@ +This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and +gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks +the established tunnel with compression. diff --git a/testing/tests/compress/evaltest.dat b/testing/tests/compress/evaltest.dat new file mode 100644 index 000000000..ff72e1762 --- /dev/null +++ b/testing/tests/compress/evaltest.dat @@ -0,0 +1,10 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::policy.*COMPRESS::YES +carol::ipsec statusall::policy.*COMPRESS::YES +moon::ipsec statusall::comp.::YES +carol::ipsec statusall::comp.::YES +carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES + diff --git a/testing/tests/compress/hosts/carol/etc/ipsec.conf b/testing/tests/compress/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9462ba5e6 --- /dev/null +++ b/testing/tests/compress/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + compress=yes + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/compress/hosts/moon/etc/ipsec.conf b/testing/tests/compress/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b8dfae646 --- /dev/null +++ b/testing/tests/compress/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + compress=yes + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/compress/posttest.dat b/testing/tests/compress/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/compress/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/compress/pretest.dat b/testing/tests/compress/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/compress/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/compress/test.conf b/testing/tests/compress/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/compress/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/crl-from-cache/description.txt b/testing/tests/crl-from-cache/description.txt new file mode 100644 index 000000000..17866f572 --- /dev/null +++ b/testing/tests/crl-from-cache/description.txt @@ -0,0 +1,5 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates +an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in +their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify +the certificate received from their peer. diff --git a/testing/tests/crl-from-cache/evaltest.dat b/testing/tests/crl-from-cache/evaltest.dat new file mode 100644 index 000000000..dd200c8ef --- /dev/null +++ b/testing/tests/crl-from-cache/evaltest.dat @@ -0,0 +1,10 @@ +moon::cat /var/log/auth.log::loaded crl file::YES +carol::cat /var/log/auth.log::loaded crl file::YES +moon::cat /var/log/auth.log::X.509 certificate rejected::NO +carol::cat /var/log/auth.log::X.509 certificate rejected::NO +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file::NO +carol::cat /var/log/auth.log::written crl file::NO +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..93c4d7956 --- /dev/null +++ b/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ef9237518 --- /dev/null +++ b/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-from-cache/posttest.dat b/testing/tests/crl-from-cache/posttest.dat new file mode 100644 index 000000000..be17847c1 --- /dev/null +++ b/testing/tests/crl-from-cache/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/crl-from-cache/pretest.dat b/testing/tests/crl-from-cache/pretest.dat new file mode 100644 index 000000000..acdb265ed --- /dev/null +++ b/testing/tests/crl-from-cache/pretest.dat @@ -0,0 +1,8 @@ +moon::wget -q http://crl.strongswan.org/strongswan.crl +moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +carol::wget -q http://crl.strongswan.org/strongswan.crl +carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-from-cache/test.conf b/testing/tests/crl-from-cache/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-from-cache/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-ldap/description.txt b/testing/tests/crl-ldap/description.txt new file mode 100644 index 000000000..02dc0cbbe --- /dev/null +++ b/testing/tests/crl-ldap/description.txt @@ -0,0 +1,9 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is +available, the Main Mode negotiation fails. A http fetch for an updated CRL fails +because the web server is currently not reachable. Thus the second Main Mode negotiation +fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> +is triggered. When the third Main Mode trial comes around, the fetched CRL has become +available and the IKE negotiation completes. The new CRL is again cached locally as a +file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option. diff --git a/testing/tests/crl-ldap/evaltest.dat b/testing/tests/crl-ldap/evaltest.dat new file mode 100644 index 000000000..2b98e086a --- /dev/null +++ b/testing/tests/crl-ldap/evaltest.dat @@ -0,0 +1,16 @@ +moon::cat /var/log/auth.log::loaded crl file::YES +carol::cat /var/log/auth.log::loaded crl file::YES +moon::cat /var/log/auth.log::crl update is overdue::YES +carol::cat /var/log/auth.log::crl update is overdue::YES +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::Trying LDAP URL::YES +carol::cat /var/log/auth.log::Trying LDAP URL::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file::YES +carol::cat /var/log/auth.log::written crl file::YES +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..571459bae --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..669a47d06 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl Binary files differnew file mode 100644 index 000000000..75e8b0959 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl diff --git a/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..8de514a2e --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d5c0dd163 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,42 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl Binary files differnew file mode 100644 index 000000000..75e8b0959 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl diff --git a/testing/tests/crl-ldap/posttest.dat b/testing/tests/crl-ldap/posttest.dat new file mode 100644 index 000000000..04f762331 --- /dev/null +++ b/testing/tests/crl-ldap/posttest.dat @@ -0,0 +1,9 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +winnetou::/etc/init.d/slapd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/crl-ldap/pretest.dat b/testing/tests/crl-ldap/pretest.dat new file mode 100644 index 000000000..64fae2a16 --- /dev/null +++ b/testing/tests/crl-ldap/pretest.dat @@ -0,0 +1,7 @@ +winnetou::/etc/init.d/slapd start +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-ldap/test.conf b/testing/tests/crl-ldap/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-ldap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-revoked/description.txt b/testing/tests/crl-revoked/description.txt new file mode 100644 index 000000000..780068ce6 --- /dev/null +++ b/testing/tests/crl-revoked/description.txt @@ -0,0 +1,7 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current CRL is available, the Main Mode negotiation fails +and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered. +When the second Main Mode trial comes around the fetched CRL will be available +but because the certificate presented by carol has been revoked, +the IKE negotatiation will fail. diff --git a/testing/tests/crl-revoked/evaltest.dat b/testing/tests/crl-revoked/evaltest.dat new file mode 100644 index 000000000..0fd1cae8c --- /dev/null +++ b/testing/tests/crl-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5a1d246a6 --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolRevokedCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem new file mode 100644 index 000000000..8aefcc5a6 --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn +hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb +v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7 +HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx +vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE +UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU +WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf +OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu +og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2 +MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/ +khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx +uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07 +a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt +7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+ +rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y +ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf +IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi +CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3 +baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R +TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP +r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i +jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH +46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva +o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa +9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..8e31be4cb --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolRevokedKey.pem diff --git a/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a8953f557 --- /dev/null +++ b/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-revoked/posttest.dat b/testing/tests/crl-revoked/posttest.dat new file mode 100644 index 000000000..d742e8410 --- /dev/null +++ b/testing/tests/crl-revoked/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/crl-revoked/pretest.dat b/testing/tests/crl-revoked/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/crl-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-revoked/test.conf b/testing/tests/crl-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-strict/description.txt b/testing/tests/crl-strict/description.txt new file mode 100644 index 000000000..97011482e --- /dev/null +++ b/testing/tests/crl-strict/description.txt @@ -0,0 +1,6 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current CRL is available, the Main Mode negotiation fails +but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered. +When the second Main Mode trial comes around, the fetched CRL will be available +and the IKE negotiation completes. diff --git a/testing/tests/crl-strict/evaltest.dat b/testing/tests/crl-strict/evaltest.dat new file mode 100644 index 000000000..1d7adb05e --- /dev/null +++ b/testing/tests/crl-strict/evaltest.dat @@ -0,0 +1,8 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..6d0aee86a --- /dev/null +++ b/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a8953f557 --- /dev/null +++ b/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-strict/posttest.dat b/testing/tests/crl-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/crl-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/crl-strict/pretest.dat b/testing/tests/crl-strict/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/crl-strict/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-strict/test.conf b/testing/tests/crl-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-to-cache/description.txt b/testing/tests/crl-to-cache/description.txt new file mode 100644 index 000000000..9f542e73d --- /dev/null +++ b/testing/tests/crl-to-cache/description.txt @@ -0,0 +1,6 @@ +By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched +via http from the web server <b>winnetou</b> is saved locally in the +directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b> +and the gateway <b>moon</b> when the IPsec connection is set up. The +<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b> +is used as a unique filename for the cached CRL. diff --git a/testing/tests/crl-to-cache/evaltest.dat b/testing/tests/crl-to-cache/evaltest.dat new file mode 100644 index 000000000..be7737185 --- /dev/null +++ b/testing/tests/crl-to-cache/evaltest.dat @@ -0,0 +1,4 @@ +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..955f08b1f --- /dev/null +++ b/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..885354ab5 --- /dev/null +++ b/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-to-cache/posttest.dat b/testing/tests/crl-to-cache/posttest.dat new file mode 100644 index 000000000..be17847c1 --- /dev/null +++ b/testing/tests/crl-to-cache/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/crl-to-cache/pretest.dat b/testing/tests/crl-to-cache/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/crl-to-cache/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-to-cache/test.conf b/testing/tests/crl-to-cache/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-to-cache/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/default-keys/description.txt b/testing/tests/default-keys/description.txt new file mode 100644 index 000000000..639e909da --- /dev/null +++ b/testing/tests/default-keys/description.txt @@ -0,0 +1,8 @@ +Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b> +and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key +and a self-signed X.509 certificate. Because the UML testing environment does +not offer enough entropy, the non-blocking /dev/urandom device is used in place +of /dev/random for generating the random primes. +<p> +The self-signed certificates are then distributed to the peers via scp +and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/default-keys/evaltest.dat b/testing/tests/default-keys/evaltest.dat new file mode 100644 index 000000000..f190d7066 --- /dev/null +++ b/testing/tests/default-keys/evaltest.dat @@ -0,0 +1,7 @@ +carol::cat /var/log/auth.log::we have a cert but are not sending it::YES +moon::cat /var/log/auth.log::we have a cert but are not sending it::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/default-keys/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c4bb10a65 --- /dev/null +++ b/testing/tests/default-keys/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=peerCert.der + auto=add diff --git a/testing/tests/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/default-keys/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..13ad3063f --- /dev/null +++ b/testing/tests/default-keys/hosts/moon/etc/init.d/iptables @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/default-keys/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..eeeec645b --- /dev/null +++ b/testing/tests/default-keys/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn carol + left=192.168.0.1 + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + rightcert=peerCert.der + auto=add + diff --git a/testing/tests/default-keys/posttest.dat b/testing/tests/default-keys/posttest.dat new file mode 100644 index 000000000..52b48b9ef --- /dev/null +++ b/testing/tests/default-keys/posttest.dat @@ -0,0 +1,10 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/default-keys/pretest.dat b/testing/tests/default-keys/pretest.dat new file mode 100644 index 000000000..54f70cbe9 --- /dev/null +++ b/testing/tests/default-keys/pretest.dat @@ -0,0 +1,18 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.secrets +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::rm /etc/ipsec.secrets +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +moon::sleep 4 +moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der +moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der +moon::ipsec reload +carol::ipsec reload +carol::ipsec up home diff --git a/testing/tests/default-keys/test.conf b/testing/tests/default-keys/test.conf new file mode 100644 index 000000000..0baa48d90 --- /dev/null +++ b/testing/tests/default-keys/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/double-nat-net/description.txt b/testing/tests/double-nat-net/description.txt new file mode 100644 index 000000000..ff09155f6 --- /dev/null +++ b/testing/tests/double-nat-net/description.txt @@ -0,0 +1,7 @@ +The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a +tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic +directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b> +using destination NAT. UDP encapsulation is used to traverse the NAT routers. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test the double NAT-ed IPsec +tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>. diff --git a/testing/tests/double-nat-net/evaltest.dat b/testing/tests/double-nat-net/evaltest.dat new file mode 100644 index 000000000..41eba6501 --- /dev/null +++ b/testing/tests/double-nat-net/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP1_SUN::64 bytes from PH_IP1_SUN: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..395e62e7c --- /dev/null +++ b/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=bob@strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf new file mode 100755 index 000000000..6927a5ce4 --- /dev/null +++ b/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftsubnet=10.2.0.0/16 + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftfirewall=yes + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/tests/double-nat-net/posttest.dat b/testing/tests/double-nat-net/posttest.dat new file mode 100644 index 000000000..0eb2c0d6c --- /dev/null +++ b/testing/tests/double-nat-net/posttest.dat @@ -0,0 +1,9 @@ +alice::iptables -v -n -L +bob::iptables -v -n -L +bob::ipsec stop +alice::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +bob::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +sun::iptables -t nat -F +sun::ip route del 10.1.0.0/16 via PH_IP_BOB diff --git a/testing/tests/double-nat-net/pretest.dat b/testing/tests/double-nat-net/pretest.dat new file mode 100644 index 000000000..84bc15092 --- /dev/null +++ b/testing/tests/double-nat-net/pretest.dat @@ -0,0 +1,15 @@ +alice::/etc/init.d/iptables start 2> /dev/null +bob::/etc/init.d/iptables start 2> /dev/null +bob::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 +sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB +sun::ip route add 10.1.0.0/16 via PH_IP_BOB +alice::ipsec start +bob::ipsec start +alice::sleep 2 +alice::ipsec up nat-t + diff --git a/testing/tests/double-nat-net/test.conf b/testing/tests/double-nat-net/test.conf new file mode 100644 index 000000000..1ca2ffe5a --- /dev/null +++ b/testing/tests/double-nat-net/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice bob" diff --git a/testing/tests/double-nat/description.txt b/testing/tests/double-nat/description.txt new file mode 100644 index 000000000..ce7de0e56 --- /dev/null +++ b/testing/tests/double-nat/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to +the peer <b>bob</b> hiding behind the NAT router <b>sun</b>. UDP encapsulation is used to +traverse the NAT routers. <b>leftfirewall=yes</b> automatically inserts iptables-based +firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec +tunnel <b>alice</b> pings <b>bob</b>. diff --git a/testing/tests/double-nat/evaltest.dat b/testing/tests/double-nat/evaltest.dat new file mode 100644 index 000000000..05e751422 --- /dev/null +++ b/testing/tests/double-nat/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/double-nat/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..5b3cddb63 --- /dev/null +++ b/testing/tests/double-nat/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=bob@strongswan.org + rightsubnet=PH_IP_BOB/32 + auto=add diff --git a/testing/tests/double-nat/posttest.dat b/testing/tests/double-nat/posttest.dat new file mode 100644 index 000000000..07f22d07d --- /dev/null +++ b/testing/tests/double-nat/posttest.dat @@ -0,0 +1,8 @@ +alice::iptables -v -n -L +bob::iptables -v -n -L +bob::ipsec stop +alice::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +bob::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +sun::iptables -t nat -F diff --git a/testing/tests/double-nat/pretest.dat b/testing/tests/double-nat/pretest.dat new file mode 100644 index 000000000..cf495b778 --- /dev/null +++ b/testing/tests/double-nat/pretest.dat @@ -0,0 +1,13 @@ +alice::/etc/init.d/iptables start 2> /dev/null +bob::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 +sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB +alice::ipsec start +bob::ipsec start +alice::sleep 2 +alice::ipsec up nat-t + diff --git a/testing/tests/double-nat/test.conf b/testing/tests/double-nat/test.conf new file mode 100644 index 000000000..1ca2ffe5a --- /dev/null +++ b/testing/tests/double-nat/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice bob" diff --git a/testing/tests/dpd-clear/description.txt b/testing/tests/dpd-clear/description.txt new file mode 100644 index 000000000..f76b2d741 --- /dev/null +++ b/testing/tests/dpd-clear/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b> +which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s. +When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted, +<b>moon</b> clears the connection after the configured timeout of 30 s. + diff --git a/testing/tests/dpd-clear/evaltest.dat b/testing/tests/dpd-clear/evaltest.dat new file mode 100644 index 000000000..98d5b146b --- /dev/null +++ b/testing/tests/dpd-clear/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES +carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +moon::sleep 50::no output expected::NO +moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES +moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES +moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES +moon::cat /var/log/auth.log::DPD: Clearing connection::YES diff --git a/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..cac521c8f --- /dev/null +++ b/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + dpdaction=clear + dpddelay=10 + dpdtimeout=30 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add + + + diff --git a/testing/tests/dpd-clear/posttest.dat b/testing/tests/dpd-clear/posttest.dat new file mode 100644 index 000000000..931db4272 --- /dev/null +++ b/testing/tests/dpd-clear/posttest.dat @@ -0,0 +1,3 @@ +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/dpd-clear/pretest.dat b/testing/tests/dpd-clear/pretest.dat new file mode 100644 index 000000000..14ed95322 --- /dev/null +++ b/testing/tests/dpd-clear/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/dpd-clear/test.conf b/testing/tests/dpd-clear/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/dpd-clear/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/esp-ah-transport/description.txt b/testing/tests/esp-ah-transport/description.txt new file mode 100644 index 000000000..c7918fa38 --- /dev/null +++ b/testing/tests/esp-ah-transport/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall +marks all incoming AH packets with the ESP mark. The transport mode connection is +tested by <b>carol</b> sending a ping to gateway <b>moon</b>. diff --git a/testing/tests/esp-ah-transport/evaltest.dat b/testing/tests/esp-ah-transport/evaltest.dat new file mode 100644 index 000000000..7c498ad83 --- /dev/null +++ b/testing/tests/esp-ah-transport/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES +carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES +moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES +moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..8c8817539 --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..13ab3e07f --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + auto=add diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..3e8922581 --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..809f3c74b --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightid=carol@strongswan.org + type=transport + auto=add diff --git a/testing/tests/esp-ah-transport/posttest.dat b/testing/tests/esp-ah-transport/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/esp-ah-transport/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/esp-ah-transport/pretest.dat b/testing/tests/esp-ah-transport/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/esp-ah-transport/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-ah-transport/test.conf b/testing/tests/esp-ah-transport/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/esp-ah-transport/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-ah-tunnel/description.txt b/testing/tests/esp-ah-tunnel/description.txt new file mode 100644 index 000000000..809f28c57 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/description.txt @@ -0,0 +1,6 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall +marks all incoming AH packets with the ESP mark. The tunnel mode connection is +tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind +gateway <b>moon</b>. diff --git a/testing/tests/esp-ah-tunnel/evaltest.dat b/testing/tests/esp-ah-tunnel/evaltest.dat new file mode 100644 index 000000000..8f4a99641 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES +moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES +moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..8c8817539 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..98cdaab7a --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..3e8922581 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7f976376d --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-ah-tunnel/posttest.dat b/testing/tests/esp-ah-tunnel/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/esp-ah-tunnel/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/esp-ah-tunnel/pretest.dat b/testing/tests/esp-ah-tunnel/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/esp-ah-tunnel/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-ah-tunnel/test.conf b/testing/tests/esp-ah-tunnel/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-des/description.txt b/testing/tests/esp-alg-des/description.txt new file mode 100644 index 000000000..9546569dd --- /dev/null +++ b/testing/tests/esp-alg-des/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must +explicitly accept the choice of this insecure algorithm by setting the strict +flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b> +sending a ping to client <b>alice</b> behind gateway <b>moon</b>. diff --git a/testing/tests/esp-alg-des/evaltest.dat b/testing/tests/esp-alg-des/evaltest.dat new file mode 100644 index 000000000..8e06392f1 --- /dev/null +++ b/testing/tests/esp-alg-des/evaltest.dat @@ -0,0 +1,6 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b4f067b6d --- /dev/null +++ b/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-md5-modp1024! + esp=des-md5! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..9513f810d --- /dev/null +++ b/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=3des-md5-modp1024! + esp=des-md5! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-des/posttest.dat b/testing/tests/esp-alg-des/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-des/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-des/pretest.dat b/testing/tests/esp-alg-des/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/esp-alg-des/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-des/test.conf b/testing/tests/esp-alg-des/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-des/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-null/description.txt b/testing/tests/esp-alg-null/description.txt new file mode 100644 index 000000000..7880a799c --- /dev/null +++ b/testing/tests/esp-alg-null/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must +explicitly accept the choice of this insecure algorithm by setting the strict +flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b> +sending a ping to client <b>alice</b> behind gateway <b>moon</b>. diff --git a/testing/tests/esp-alg-null/evaltest.dat b/testing/tests/esp-alg-null/evaltest.dat new file mode 100644 index 000000000..de2f2a571 --- /dev/null +++ b/testing/tests/esp-alg-null/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b732eba93 --- /dev/null +++ b/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes-128-sha + esp=null-sha1! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..af11591a1 --- /dev/null +++ b/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=null-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-null/posttest.dat b/testing/tests/esp-alg-null/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-null/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-null/pretest.dat b/testing/tests/esp-alg-null/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/esp-alg-null/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-null/test.conf b/testing/tests/esp-alg-null/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-null/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-strict-fail/description.txt b/testing/tests/esp-alg-strict-fail/description.txt new file mode 100644 index 000000000..03c655480 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines +<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces +<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/esp-alg-strict-fail/evaltest.dat b/testing/tests/esp-alg-strict-fail/evaltest.dat new file mode 100644 index 000000000..6f2024ff9 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES +carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES +moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO +moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ae8d2b772 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha + esp=3des-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2dd1c763a --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha + esp=aes128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict-fail/posttest.dat b/testing/tests/esp-alg-strict-fail/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-strict-fail/pretest.dat b/testing/tests/esp-alg-strict-fail/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-strict-fail/test.conf b/testing/tests/esp-alg-strict-fail/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/esp-alg-strict/description.txt b/testing/tests/esp-alg-strict/description.txt new file mode 100644 index 000000000..b4fc08253 --- /dev/null +++ b/testing/tests/esp-alg-strict/description.txt @@ -0,0 +1,7 @@ +Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with +SHA-1 authentication) in the first place and <b>AES-128</b> encryption in +second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines +<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed +by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces +<b>esp=aes-128-sha1!</b> by applying the strict flag '!'. + diff --git a/testing/tests/esp-alg-strict/evaltest.dat b/testing/tests/esp-alg-strict/evaltest.dat new file mode 100644 index 000000000..d5dd12d4e --- /dev/null +++ b/testing/tests/esp-alg-strict/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES +carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES diff --git a/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5a14de070 --- /dev/null +++ b/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha,aes-128-sha + esp=3des-sha1,aes-128-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2dd1c763a --- /dev/null +++ b/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha + esp=aes128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict/posttest.dat b/testing/tests/esp-alg-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-strict/pretest.dat b/testing/tests/esp-alg-strict/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/esp-alg-strict/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-strict/test.conf b/testing/tests/esp-alg-strict/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-strict/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-weak/description.txt b/testing/tests/esp-alg-weak/description.txt new file mode 100644 index 000000000..ffb6882f5 --- /dev/null +++ b/testing/tests/esp-alg-weak/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication +as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does +not use an explicit <b>esp</b> statement any strong encryption algorithm will be +accepted but any weak key length will be rejected by default and thus the ISAKMP SA +is bound to fail. diff --git a/testing/tests/esp-alg-weak/evaltest.dat b/testing/tests/esp-alg-weak/evaltest.dat new file mode 100644 index 000000000..72b14e805 --- /dev/null +++ b/testing/tests/esp-alg-weak/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO +moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES +moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b4f067b6d --- /dev/null +++ b/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-md5-modp1024! + esp=des-md5! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3f07213ae --- /dev/null +++ b/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-weak/posttest.dat b/testing/tests/esp-alg-weak/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-weak/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-weak/pretest.dat b/testing/tests/esp-alg-weak/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/esp-alg-weak/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-weak/test.conf b/testing/tests/esp-alg-weak/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-weak/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/host2host-cert/description.txt b/testing/tests/host2host-cert/description.txt new file mode 100644 index 000000000..6be21bf8f --- /dev/null +++ b/testing/tests/host2host-cert/description.txt @@ -0,0 +1,4 @@ +A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. +The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>. diff --git a/testing/tests/host2host-cert/evaltest.dat b/testing/tests/host2host-cert/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/host2host-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/host2host-cert/posttest.dat b/testing/tests/host2host-cert/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/host2host-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/host2host-cert/pretest.dat b/testing/tests/host2host-cert/pretest.dat new file mode 100644 index 000000000..3536fd886 --- /dev/null +++ b/testing/tests/host2host-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/host2host-cert/test.conf b/testing/tests/host2host-cert/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/host2host-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/host2host-swapped/description.txt b/testing/tests/host2host-swapped/description.txt new file mode 100644 index 000000000..34cfe43cc --- /dev/null +++ b/testing/tests/host2host-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with +swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas +<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/host2host-swapped/evaltest.dat b/testing/tests/host2host-swapped/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/host2host-swapped/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..4b66a5ecb --- /dev/null +++ b/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-host + right=PH_IP_MOON + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightfirewall=yes + left=PH_IP_SUN + leftid=@sun.strongswan.org + auto=add diff --git a/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..a58894b33 --- /dev/null +++ b/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-host + right=PH_IP_SUN + rightnexthop=%direct + rightcert=sunCert.pem + rightfirewall=yes + rightid=@sun.strongswan.org + left=PH_IP_MOON + leftid=@moon.strongswan.org + auto=add diff --git a/testing/tests/host2host-swapped/posttest.dat b/testing/tests/host2host-swapped/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/host2host-swapped/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/host2host-swapped/pretest.dat b/testing/tests/host2host-swapped/pretest.dat new file mode 100644 index 000000000..e2d98f2eb --- /dev/null +++ b/testing/tests/host2host-swapped/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/host2host-swapped/test.conf b/testing/tests/host2host-swapped/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/host2host-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/host2host-transport/description.txt b/testing/tests/host2host-transport/description.txt new file mode 100644 index 000000000..fe3482c96 --- /dev/null +++ b/testing/tests/host2host-transport/description.txt @@ -0,0 +1,4 @@ +An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is +successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall +rules that let pass the decrypted IP packets. In order to test the host-to-host connection +<b>moon</b> pings <b>sun</b>. diff --git a/testing/tests/host2host-transport/evaltest.dat b/testing/tests/host2host-transport/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/host2host-transport/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..af5000fa8 --- /dev/null +++ b/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..10bea9847 --- /dev/null +++ b/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + auto=add + diff --git a/testing/tests/host2host-transport/posttest.dat b/testing/tests/host2host-transport/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/host2host-transport/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/host2host-transport/pretest.dat b/testing/tests/host2host-transport/pretest.dat new file mode 100644 index 000000000..e2d98f2eb --- /dev/null +++ b/testing/tests/host2host-transport/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/host2host-transport/test.conf b/testing/tests/host2host-transport/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/host2host-transport/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ike-alg-sha2_512/description.txt b/testing/tests/ike-alg-sha2_512/description.txt new file mode 100644 index 000000000..1bec4b8c6 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite +<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and +<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ike-alg-sha2_512/evaltest.dat b/testing/tests/ike-alg-sha2_512/evaltest.dat new file mode 100644 index 000000000..dbd35429c --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES +moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1f73cdc21 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes256-sha2_512-modp8192! + esp=aes256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..90911997e --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes256-sha2_512-modp8192! + esp=aes256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ike-alg-sha2_512/posttest.dat b/testing/tests/ike-alg-sha2_512/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ike-alg-sha2_512/pretest.dat b/testing/tests/ike-alg-sha2_512/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ike-alg-sha2_512/test.conf b/testing/tests/ike-alg-sha2_512/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ike-alg-strict-fail/description.txt b/testing/tests/ike-alg-strict-fail/description.txt new file mode 100644 index 000000000..03c655480 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines +<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces +<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ike-alg-strict-fail/evaltest.dat b/testing/tests/ike-alg-strict-fail/evaltest.dat new file mode 100644 index 000000000..931b8855a --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES diff --git a/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ae8d2b772 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha + esp=3des-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..85cd235dc --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict-fail/posttest.dat b/testing/tests/ike-alg-strict-fail/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ike-alg-strict-fail/pretest.dat b/testing/tests/ike-alg-strict-fail/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ike-alg-strict-fail/test.conf b/testing/tests/ike-alg-strict-fail/test.conf new file mode 100644 index 000000000..7e7848831 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/test.conf @@ -0,0 +1,21 @@ +##!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ike-alg-strict/description.txt b/testing/tests/ike-alg-strict/description.txt new file mode 100644 index 000000000..35d266e20 --- /dev/null +++ b/testing/tests/ike-alg-strict/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place +and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA. +The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!', +but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b> +defines itself <b>esp=aes-128-sha1</b> only. diff --git a/testing/tests/ike-alg-strict/evaltest.dat b/testing/tests/ike-alg-strict/evaltest.dat new file mode 100644 index 000000000..46140be8a --- /dev/null +++ b/testing/tests/ike-alg-strict/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES +moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES +carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES diff --git a/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5a14de070 --- /dev/null +++ b/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha,aes-128-sha + esp=3des-sha1,aes-128-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..85cd235dc --- /dev/null +++ b/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict/posttest.dat b/testing/tests/ike-alg-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ike-alg-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ike-alg-strict/pretest.dat b/testing/tests/ike-alg-strict/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ike-alg-strict/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ike-alg-strict/test.conf b/testing/tests/ike-alg-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ike-alg-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/mode-config-swapped/description.txt b/testing/tests/mode-config-swapped/description.txt new file mode 100644 index 000000000..e29e6f654 --- /dev/null +++ b/testing/tests/mode-config-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with +swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas +<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/mode-config-swapped/evaltest.dat b/testing/tests/mode-config-swapped/evaltest.dat new file mode 100644 index 000000000..be8ca6ef5 --- /dev/null +++ b/testing/tests/mode-config-swapped/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES diff --git a/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..bee23f4df --- /dev/null +++ b/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_CAROL + rightsourceip=%modeconfig + rightnexthop=%direct + rightcert=carolCert.pem + rightid=carol@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..698cd9673 --- /dev/null +++ b/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_DAVE + rightsourceip=%modeconfig + rightnexthop=%direct + rightcert=daveCert.pem + rightid=dave@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b9e401080 --- /dev/null +++ b/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightsourceip=PH_IP1_MOON + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightfirewall=yes + +conn rw-carol + left=%any + leftid=carol@strongswan.org + leftsourceip=PH_IP1_CAROL + auto=add + +conn rw-dave + left=%any + leftid=dave@strongswan.org + leftsourceip=PH_IP1_DAVE + auto=add diff --git a/testing/tests/mode-config-swapped/posttest.dat b/testing/tests/mode-config-swapped/posttest.dat new file mode 100644 index 000000000..932b319a7 --- /dev/null +++ b/testing/tests/mode-config-swapped/posttest.dat @@ -0,0 +1,11 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +dave::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 +dave::ip addr del PH_IP1_DAVE/32 dev eth0 diff --git a/testing/tests/mode-config-swapped/pretest.dat b/testing/tests/mode-config-swapped/pretest.dat new file mode 100644 index 000000000..1e45f00fd --- /dev/null +++ b/testing/tests/mode-config-swapped/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/mode-config-swapped/test.conf b/testing/tests/mode-config-swapped/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/mode-config-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/mode-config/description.txt b/testing/tests/mode-config/description.txt new file mode 100644 index 000000000..3e67f83f1 --- /dev/null +++ b/testing/tests/mode-config/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol +by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway +<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b> +and <b>dave1</b>, respectively. diff --git a/testing/tests/mode-config/evaltest.dat b/testing/tests/mode-config/evaltest.dat new file mode 100644 index 000000000..be8ca6ef5 --- /dev/null +++ b/testing/tests/mode-config/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES diff --git a/testing/tests/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/mode-config/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..598997b45 --- /dev/null +++ b/testing/tests/mode-config/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/mode-config/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..da601389c --- /dev/null +++ b/testing/tests/mode-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/mode-config/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..49333e217 --- /dev/null +++ b/testing/tests/mode-config/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP1_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP1_CAROL + auto=add + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP1_DAVE + auto=add diff --git a/testing/tests/mode-config/posttest.dat b/testing/tests/mode-config/posttest.dat new file mode 100644 index 000000000..932b319a7 --- /dev/null +++ b/testing/tests/mode-config/posttest.dat @@ -0,0 +1,11 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +dave::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 +dave::ip addr del PH_IP1_DAVE/32 dev eth0 diff --git a/testing/tests/mode-config/pretest.dat b/testing/tests/mode-config/pretest.dat new file mode 100644 index 000000000..1e45f00fd --- /dev/null +++ b/testing/tests/mode-config/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/mode-config/test.conf b/testing/tests/mode-config/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/mode-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/multi-level-ca-ldap/description.txt b/testing/tests/multi-level-ca-ldap/description.txt new file mode 100644 index 000000000..18fb88840 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/description.txt @@ -0,0 +1,11 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of two different Intermediate CAs. Access to +<b>alice</b> is granted to users presenting a certificate issued by the Research CA +whereas <b>venus</b> can only be reached with a certificate issued by the +Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from +the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access +<b>alice</b> and <b>dave</b> can reach <b>venus</b>. +<p> +By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and +Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the +connection setups can be successfully completed. diff --git a/testing/tests/multi-level-ca-ldap/evaltest.dat b/testing/tests/multi-level-ca-ldap/evaltest.dat new file mode 100644 index 000000000..f504706e2 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/evaltest.dat @@ -0,0 +1,13 @@ +moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES +dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::Trying LDAP URL::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..222c3cf67 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..bfa0ebba3 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..8de514a2e --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e2b60589b --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,47 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +ca research + cacert=researchCert.pem + crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +ca sales + cacert=salesCert.pem + crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/posttest.dat b/testing/tests/multi-level-ca-ldap/posttest.dat new file mode 100644 index 000000000..e618fc419 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/posttest.dat @@ -0,0 +1,8 @@ +moon::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* +winnetou::/etc/init.d/slapd stop +moon::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/multi-level-ca-ldap/pretest.dat b/testing/tests/multi-level-ca-ldap/pretest.dat new file mode 100644 index 000000000..322f42102 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/pretest.dat @@ -0,0 +1,10 @@ +winnetou::/etc/init.d/slapd start +moon::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/multi-level-ca-ldap/test.conf b/testing/tests/multi-level-ca-ldap/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/multi-level-ca-loop/description.txt b/testing/tests/multi-level-ca-loop/description.txt new file mode 100644 index 000000000..9b63c2c66 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/description.txt @@ -0,0 +1,6 @@ +The roadwarrior <b>carol</b>, possessing a certificate issued by the +Research CA, tries to set up a tunnel to gateway <b>moon</b>. +The Research CA's certificate is signed by the Sales CA and +the Sales CA's certificate in turn is signed by the Research CA. +This leads to an endless trust path loop but which is aborted by +<b>moon</b> when the path level reaches a depth of 7 iterations. diff --git a/testing/tests/multi-level-ca-loop/evaltest.dat b/testing/tests/multi-level-ca-loop/evaltest.dat new file mode 100644 index 000000000..781a7b4ac --- /dev/null +++ b/testing/tests/multi-level-ca-loop/evaltest.dat @@ -0,0 +1,3 @@ +moon::cat /var/log/auth.log::maximum ca path length of 7 levels exceeded::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c56678b59 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..343042f15 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem new file mode 100644 index 000000000..efb939e3a --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT +CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf +rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID +BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx +4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q +m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha +/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM +x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB +AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr +Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup +Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg +pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL +rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S +uaJ2yDwEhOHn3ihb1bqlanM= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem new file mode 100644 index 000000000..90e207c4b --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx +MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH +/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq +4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 +XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 +kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj +gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 +p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO +clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB +b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI +koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf +Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA +/szZoxwnE2iHtIoMAhfHZpRvOkg= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-loop/posttest.dat b/testing/tests/multi-level-ca-loop/posttest.dat new file mode 100644 index 000000000..076f51f4d --- /dev/null +++ b/testing/tests/multi-level-ca-loop/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/multi-level-ca-loop/pretest.dat b/testing/tests/multi-level-ca-loop/pretest.dat new file mode 100644 index 000000000..0a0ec22bf --- /dev/null +++ b/testing/tests/multi-level-ca-loop/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice diff --git a/testing/tests/multi-level-ca-loop/test.conf b/testing/tests/multi-level-ca-loop/test.conf new file mode 100644 index 000000000..3189fdfc7 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/multi-level-ca-revoked/description.txt b/testing/tests/multi-level-ca-revoked/description.txt new file mode 100644 index 000000000..c91ac285b --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/description.txt @@ -0,0 +1,4 @@ +The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA. +The certificate of the Research CA has been revoked by the Root CA by entering +the serial number in the CRL. Therefore upon verification of the trust path +the gateway <b>moon</b> will reject the roadwarrior's certificate diff --git a/testing/tests/multi-level-ca-revoked/evaltest.dat b/testing/tests/multi-level-ca-revoked/evaltest.dat new file mode 100644 index 000000000..0fd1cae8c --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..6d0aee86a --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..39a298de9 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..c380a5110 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1 +LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa +6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN +T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r +9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL +cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq +YO2C4HE= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-revoked/posttest.dat b/testing/tests/multi-level-ca-revoked/posttest.dat new file mode 100644 index 000000000..f84b7e37b --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/multi-level-ca-revoked/pretest.dat b/testing/tests/multi-level-ca-revoked/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/multi-level-ca-revoked/test.conf b/testing/tests/multi-level-ca-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/multi-level-ca-strict/description.txt b/testing/tests/multi-level-ca-strict/description.txt new file mode 100644 index 000000000..32413e3de --- /dev/null +++ b/testing/tests/multi-level-ca-strict/description.txt @@ -0,0 +1,10 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of two different Intermediate CAs. Access to +<b>alice</b> is granted to users presenting a certificate issued by the Research CA +whereas <b>venus</b> can only be reached with a certificate issued by the +Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from +the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access +<b>alice</b> and <b>dave</b> can reach <b>venus</b>. +<p> +By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and +Sales CAs must be fetched first, before the connection setups can be successfully completed. diff --git a/testing/tests/multi-level-ca-strict/evaltest.dat b/testing/tests/multi-level-ca-strict/evaltest.dat new file mode 100644 index 000000000..5a181a62d --- /dev/null +++ b/testing/tests/multi-level-ca-strict/evaltest.dat @@ -0,0 +1,12 @@ +moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES +dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..de179c565 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..2fb6a301e --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6ed262d20 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/posttest.dat b/testing/tests/multi-level-ca-strict/posttest.dat new file mode 100644 index 000000000..1646d5ed2 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/multi-level-ca-strict/pretest.dat b/testing/tests/multi-level-ca-strict/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/multi-level-ca-strict/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/multi-level-ca-strict/test.conf b/testing/tests/multi-level-ca-strict/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/multi-level-ca/description.txt b/testing/tests/multi-level-ca/description.txt new file mode 100644 index 000000000..64825cb30 --- /dev/null +++ b/testing/tests/multi-level-ca/description.txt @@ -0,0 +1,7 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of two different Intermediate CAs. Access to +<b>alice</b> is granted to users presenting a certificate issued by the Research CA +whereas <b>venus</b> can only be reached with a certificate issued by the +Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from +the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access +<b>alice</b> and <b>dave</b> can reach <b>venus</b>. diff --git a/testing/tests/multi-level-ca/evaltest.dat b/testing/tests/multi-level-ca/evaltest.dat new file mode 100644 index 000000000..72f620b8e --- /dev/null +++ b/testing/tests/multi-level-ca/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES +moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES +dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES +moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..e851a82f0 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftsendcert=ifasked + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..458a4ca5e --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + leftsendcert=ifasked + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e60bbc016 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftsendcert=ifasked + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/posttest.dat b/testing/tests/multi-level-ca/posttest.dat new file mode 100644 index 000000000..1646d5ed2 --- /dev/null +++ b/testing/tests/multi-level-ca/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/multi-level-ca/pretest.dat b/testing/tests/multi-level-ca/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/multi-level-ca/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/multi-level-ca/test.conf b/testing/tests/multi-level-ca/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/multi-level-ca/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/nat-one-rw/description.txt b/testing/tests/nat-one-rw/description.txt new file mode 100644 index 000000000..c3b9bb820 --- /dev/null +++ b/testing/tests/nat-one-rw/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to +gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the +client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/nat-one-rw/evaltest.dat b/testing/tests/nat-one-rw/evaltest.dat new file mode 100644 index 000000000..bc193963d --- /dev/null +++ b/testing/tests/nat-one-rw/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/nat-one-rw/posttest.dat b/testing/tests/nat-one-rw/posttest.dat new file mode 100644 index 000000000..af8e00575 --- /dev/null +++ b/testing/tests/nat-one-rw/posttest.dat @@ -0,0 +1,8 @@ +alice::iptables -v -n -L +sun::iptables -v -n -L +alice::ipsec stop +sun::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F + diff --git a/testing/tests/nat-one-rw/pretest.dat b/testing/tests/nat-one-rw/pretest.dat new file mode 100644 index 000000000..9dacc672c --- /dev/null +++ b/testing/tests/nat-one-rw/pretest.dat @@ -0,0 +1,10 @@ +alice::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +sun::ipsec start +alice::sleep 5 +alice::ipsec up nat-t + diff --git a/testing/tests/nat-one-rw/test.conf b/testing/tests/nat-one-rw/test.conf new file mode 100644 index 000000000..d84149aaf --- /dev/null +++ b/testing/tests/nat-one-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice sun" diff --git a/testing/tests/nat-two-rw/description.txt b/testing/tests/nat-two-rw/description.txt new file mode 100644 index 000000000..dcf4b94bd --- /dev/null +++ b/testing/tests/nat-two-rw/description.txt @@ -0,0 +1,5 @@ +The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up +tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b> +ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/nat-two-rw/evaltest.dat b/testing/tests/nat-two-rw/evaltest.dat new file mode 100644 index 000000000..b1a7d59ee --- /dev/null +++ b/testing/tests/nat-two-rw/evaltest.dat @@ -0,0 +1,9 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::nat-t.*alice@strongswan.org::YES +sun::ipsec status::nat-t.*@venus.strongswan.org::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/nat-two-rw/posttest.dat b/testing/tests/nat-two-rw/posttest.dat new file mode 100644 index 000000000..f019842ed --- /dev/null +++ b/testing/tests/nat-two-rw/posttest.dat @@ -0,0 +1,11 @@ +alice::iptables -v -n -L +venus::iptables -v -n -L +sun::iptables -v -n -L +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F + diff --git a/testing/tests/nat-two-rw/pretest.dat b/testing/tests/nat-two-rw/pretest.dat new file mode 100644 index 000000000..dd5259936 --- /dev/null +++ b/testing/tests/nat-two-rw/pretest.dat @@ -0,0 +1,13 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 5 +alice::ipsec up nat-t +venus::sleep 5 +venus::ipsec up nat-t diff --git a/testing/tests/nat-two-rw/test.conf b/testing/tests/nat-two-rw/test.conf new file mode 100644 index 000000000..84317fd70 --- /dev/null +++ b/testing/tests/nat-two-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/net2net-cert/description.txt b/testing/tests/net2net-cert/description.txt new file mode 100644 index 000000000..7eea9192f --- /dev/null +++ b/testing/tests/net2net-cert/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-cert/evaltest.dat b/testing/tests/net2net-cert/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-cert/posttest.dat b/testing/tests/net2net-cert/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-cert/pretest.dat b/testing/tests/net2net-cert/pretest.dat new file mode 100644 index 000000000..9f60760c6 --- /dev/null +++ b/testing/tests/net2net-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-cert/test.conf b/testing/tests/net2net-cert/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/net2net-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-pgp/description.txt b/testing/tests/net2net-pgp/description.txt new file mode 100644 index 000000000..c85f2e5d0 --- /dev/null +++ b/testing/tests/net2net-pgp/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>OpenPGP keys</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-pgp/evaltest.dat b/testing/tests/net2net-pgp/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-pgp/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e7de6cf0b --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.asc + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightcert=sunCert.asc + auto=add diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc new file mode 100644 index 000000000..6524773e0 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd +JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9 +FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6 +7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3 +0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN +8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7 +QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v +biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4= +=YFQm +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..afb1ff927 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.asc diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..5dd8a8587 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftcert=sunCert.asc + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=moonCert.asc + auto=add diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc new file mode 100644 index 000000000..de2393649 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI +Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1 +GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg +vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2 +LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn +2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs +xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu +IDxzdW4uc3Ryb25nc3dhbi5vcmc+ +=DwEu +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..ee98b1611 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.asc diff --git a/testing/tests/net2net-pgp/posttest.dat b/testing/tests/net2net-pgp/posttest.dat new file mode 100644 index 000000000..80e765dfc --- /dev/null +++ b/testing/tests/net2net-pgp/posttest.dat @@ -0,0 +1,10 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +sun::rm /etc/ipsec.d/certs/* +sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/net2net-pgp/pretest.dat b/testing/tests/net2net-pgp/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/net2net-pgp/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-pgp/test.conf b/testing/tests/net2net-pgp/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/net2net-pgp/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-psk-fail/description.txt b/testing/tests/net2net-psk-fail/description.txt new file mode 100644 index 000000000..5a794bd17 --- /dev/null +++ b/testing/tests/net2net-psk-fail/description.txt @@ -0,0 +1,7 @@ +An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and +<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b> +(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not +match, so that the responder cannot decrypt ISAKMP message MI3. The resulting +encrypted notification message cannot in turn be read by the initiator +<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of +PAYLOAD_MALFORMED messages is suppressed. diff --git a/testing/tests/net2net-psk-fail/evaltest.dat b/testing/tests/net2net-psk-fail/evaltest.dat new file mode 100644 index 000000000..7f7cb9726 --- /dev/null +++ b/testing/tests/net2net-psk-fail/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::malformed payload in packet::YES +sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES +sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES +moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO +sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO + diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..87396e455 --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..7e102b25c --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..b53577e1d --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil + + + + diff --git a/testing/tests/net2net-psk-fail/posttest.dat b/testing/tests/net2net-psk-fail/posttest.dat new file mode 100644 index 000000000..dff181797 --- /dev/null +++ b/testing/tests/net2net-psk-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/net2net-psk-fail/pretest.dat b/testing/tests/net2net-psk-fail/pretest.dat new file mode 100644 index 000000000..aa8e332e0 --- /dev/null +++ b/testing/tests/net2net-psk-fail/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-psk-fail/test.conf b/testing/tests/net2net-psk-fail/test.conf new file mode 100644 index 000000000..f6e064e7d --- /dev/null +++ b/testing/tests/net2net-psk-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-psk/description.txt b/testing/tests/net2net-psk/description.txt new file mode 100644 index 000000000..02cddbb83 --- /dev/null +++ b/testing/tests/net2net-psk/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-psk/evaltest.dat b/testing/tests/net2net-psk/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-psk/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..51c53a505 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..9c3695178 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/net2net-psk/posttest.dat b/testing/tests/net2net-psk/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-psk/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-psk/pretest.dat b/testing/tests/net2net-psk/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/net2net-psk/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-psk/test.conf b/testing/tests/net2net-psk/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/net2net-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-route/description.txt b/testing/tests/net2net-route/description.txt new file mode 100644 index 000000000..323f09555 --- /dev/null +++ b/testing/tests/net2net-route/description.txt @@ -0,0 +1,9 @@ +A tunnel that will connect the subnets behind the gateways <b>moon</b> +and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute +on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf. +A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to +<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and +leads to the automatic establishment of the subnet-to-subnet tunnel. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/net2net-route/evaltest.dat b/testing/tests/net2net-route/evaltest.dat new file mode 100644 index 000000000..38d589e5a --- /dev/null +++ b/testing/tests/net2net-route/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..4063ae05f --- /dev/null +++ b/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=route diff --git a/testing/tests/net2net-route/posttest.dat b/testing/tests/net2net-route/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-route/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-route/pretest.dat b/testing/tests/net2net-route/pretest.dat new file mode 100644 index 000000000..2eef7de19 --- /dev/null +++ b/testing/tests/net2net-route/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +alice::ping -c 10 PH_IP_BOB diff --git a/testing/tests/net2net-route/test.conf b/testing/tests/net2net-route/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/net2net-route/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-rsa/description.txt b/testing/tests/net2net-rsa/description.txt new file mode 100644 index 000000000..a23fae8c3 --- /dev/null +++ b/testing/tests/net2net-rsa/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>raw RSA keys</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-rsa/evaltest.dat b/testing/tests/net2net-rsa/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-rsa/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..772762321 --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + auto=add diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..9859ae8ed --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,17 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA { + # RSA 2048 bits moon.strongswan.org Wed Dec 8 21:41:27 2004 + # for signatures only, UNSAFE FOR ENCRYPTION + #pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63 + PublicExponent: 0x03 + # everything after this point is secret + PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7 + Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f + Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d + Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff + Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213 + Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339 + } +# do not change the indenting of that "}" diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..9626ef168 --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + auto=add diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..bf976a8d3 --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,17 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA { + # RSA 2048 bits sun.strongswan.org Wed Dec 8 21:44:27 2004 + # for signatures only, UNSAFE FOR ENCRYPTION + #pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253 + PublicExponent: 0x03 + # everything after this point is secret + PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db + Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb + Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839 + Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47 + Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b + Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a + } +# do not change the indenting of that "}" diff --git a/testing/tests/net2net-rsa/posttest.dat b/testing/tests/net2net-rsa/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-rsa/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-rsa/pretest.dat b/testing/tests/net2net-rsa/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/net2net-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-rsa/test.conf b/testing/tests/net2net-rsa/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/net2net-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-start/description.txt b/testing/tests/net2net-start/description.txt new file mode 100644 index 000000000..f5320685e --- /dev/null +++ b/testing/tests/net2net-start/description.txt @@ -0,0 +1,8 @@ +A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>, +respectively, is automatically established by means of the setting +<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b> +behind gateway <b>moon</b> pinging the client <b>bob</b> located behind +gateway <b>sun</b>. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/net2net-start/evaltest.dat b/testing/tests/net2net-start/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-start/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..677955bc1 --- /dev/null +++ b/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=start diff --git a/testing/tests/net2net-start/posttest.dat b/testing/tests/net2net-start/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-start/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-start/pretest.dat b/testing/tests/net2net-start/pretest.dat new file mode 100644 index 000000000..ed8f39316 --- /dev/null +++ b/testing/tests/net2net-start/pretest.dat @@ -0,0 +1,5 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +alice::sleep 12 diff --git a/testing/tests/net2net-start/test.conf b/testing/tests/net2net-start/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/net2net-start/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/no-priv-key/description.txt b/testing/tests/no-priv-key/description.txt new file mode 100644 index 000000000..21b8eccb1 --- /dev/null +++ b/testing/tests/no-priv-key/description.txt @@ -0,0 +1,4 @@ +This scenario tests whether the correct encrypted informational messages are +generated by the initiator <b>carol</b> and subsequently decoded by the +responder <b>moon</b> when roadwarrior <b>carol</b> finds out that she +doesn't have a private RSA key to sign her hash with. diff --git a/testing/tests/no-priv-key/evaltest.dat b/testing/tests/no-priv-key/evaltest.dat new file mode 100644 index 000000000..9bd85ba12 --- /dev/null +++ b/testing/tests/no-priv-key/evaltest.dat @@ -0,0 +1,4 @@ +carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES +moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23b311aa6 --- /dev/null +++ b/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# missing private RSA key diff --git a/testing/tests/no-priv-key/posttest.dat b/testing/tests/no-priv-key/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/no-priv-key/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/no-priv-key/pretest.dat b/testing/tests/no-priv-key/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/no-priv-key/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/no-priv-key/test.conf b/testing/tests/no-priv-key/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/no-priv-key/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ocsp-revoked/description.txt b/testing/tests/ocsp-revoked/description.txt new file mode 100644 index 000000000..cbdd1305a --- /dev/null +++ b/testing/tests/ocsp-revoked/description.txt @@ -0,0 +1,7 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current revocation information is available, the Main Mode +negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>. +When the second Main Mode trial comes around the OCSP response will be available +but because the certificate presented by carol has been revoked, +the IKE negotatiation will fail.. diff --git a/testing/tests/ocsp-revoked/evaltest.dat b/testing/tests/ocsp-revoked/evaltest.dat new file mode 100644 index 000000000..f5286cb61 --- /dev/null +++ b/testing/tests/ocsp-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listocsp:: revoked::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..7d4384767 --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolRevokedCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem new file mode 100644 index 000000000..8aefcc5a6 --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn +hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb +v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7 +HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx +vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE +UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU +WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf +OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu +og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2 +MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/ +khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx +uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07 +a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt +7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+ +rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y +ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf +IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi +CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3 +baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R +TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP +r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i +jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH +46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva +o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa +9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..8e31be4cb --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolRevokedKey.pem diff --git a/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7134b6ee9 --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,40 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ocsp-revoked/posttest.dat b/testing/tests/ocsp-revoked/posttest.dat new file mode 100644 index 000000000..d883459e7 --- /dev/null +++ b/testing/tests/ocsp-revoked/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +winnetou::killall openssl +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ocsp-revoked/pretest.dat b/testing/tests/ocsp-revoked/pretest.dat new file mode 100644 index 000000000..d5516fd3b --- /dev/null +++ b/testing/tests/ocsp-revoked/pretest.dat @@ -0,0 +1,5 @@ +winnetou::/etc/openssl/start-ocsp +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ocsp-revoked/test.conf b/testing/tests/ocsp-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ocsp-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ocsp-strict/description.txt b/testing/tests/ocsp-strict/description.txt new file mode 100644 index 000000000..7cb983140 --- /dev/null +++ b/testing/tests/ocsp-strict/description.txt @@ -0,0 +1,6 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current revocation information is available, the Main Mode +negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>. +When the second Main Mode trial comes around, the OCSP response will be available +and the IKE negotiation completes. diff --git a/testing/tests/ocsp-strict/evaltest.dat b/testing/tests/ocsp-strict/evaltest.dat new file mode 100644 index 000000000..66b27aaac --- /dev/null +++ b/testing/tests/ocsp-strict/evaltest.dat @@ -0,0 +1,8 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec listocsp:: good::YES +carol::ipsec listocsp:: good::YES diff --git a/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b34719401 --- /dev/null +++ b/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7134b6ee9 --- /dev/null +++ b/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,40 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ocsp-strict/posttest.dat b/testing/tests/ocsp-strict/posttest.dat new file mode 100644 index 000000000..117f625f6 --- /dev/null +++ b/testing/tests/ocsp-strict/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +winnetou::killall openssl diff --git a/testing/tests/ocsp-strict/pretest.dat b/testing/tests/ocsp-strict/pretest.dat new file mode 100644 index 000000000..d5516fd3b --- /dev/null +++ b/testing/tests/ocsp-strict/pretest.dat @@ -0,0 +1,5 @@ +winnetou::/etc/openssl/start-ocsp +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ocsp-strict/test.conf b/testing/tests/ocsp-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ocsp-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/protoport-dual/description.txt b/testing/tests/protoport-dual/description.txt new file mode 100644 index 000000000..7bed8b959 --- /dev/null +++ b/testing/tests/protoport-dual/description.txt @@ -0,0 +1,6 @@ +Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels +between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are +defined. The first IPsec SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. The established tunnels are tested +by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and +then setting up an SSH session to the same client. diff --git a/testing/tests/protoport-dual/evaltest.dat b/testing/tests/protoport-dual/evaltest.dat new file mode 100644 index 000000000..625c8c54c --- /dev/null +++ b/testing/tests/protoport-dual/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9e05ecf61 --- /dev/null +++ b/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + +conn home-icmp + leftprotoport=icmp + rightprotoport=icmp + +conn home-ssh + leftprotoport=tcp + rightprotoport=tcp/ssh diff --git a/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..84b9b0ba3 --- /dev/null +++ b/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + auto=add + +conn rw-icmp + lefthostaccess=yes + leftprotoport=icmp + rightprotoport=icmp + +conn rw-ssh + leftprotoport=tcp/ssh + rightprotoport=tcp diff --git a/testing/tests/protoport-dual/posttest.dat b/testing/tests/protoport-dual/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/protoport-dual/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/protoport-dual/pretest.dat b/testing/tests/protoport-dual/pretest.dat new file mode 100644 index 000000000..d3d0061c3 --- /dev/null +++ b/testing/tests/protoport-dual/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home-icmp +carol::ipsec up home-ssh diff --git a/testing/tests/protoport-dual/test.conf b/testing/tests/protoport-dual/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/protoport-dual/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/protoport-pass/description.txt b/testing/tests/protoport-pass/description.txt new file mode 100644 index 000000000..63744fa47 --- /dev/null +++ b/testing/tests/protoport-pass/description.txt @@ -0,0 +1,13 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +Using the <b>left|rightprotoport</b> selectors, the IPsec tunnel is +restricted to the ICMP protocol. Upon the successful establishment of the +IPsec tunnel, <b>firewall=yes</b> automatically inserts iptables-based +firewall rules that let pass the tunneled ICMP traffic. In order to test +both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b> as well as the inner interface of the gateway. +For the latter ping <b>lefthostaccess=yes</b> is required. +<p> +By default, the native IPsec stack of the Linux 2.6 kernel transmits +protocols and ports not covered by any IPsec SA in the clear. Thus by +selectively opening the firewalls, <b>carol</b> sets up an SSH session to +<b>alice</b> that is not going through the tunnel. diff --git a/testing/tests/protoport-pass/evaltest.dat b/testing/tests/protoport-pass/evaltest.dat new file mode 100644 index 000000000..625c8c54c --- /dev/null +++ b/testing/tests/protoport-pass/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ade7308f6 --- /dev/null +++ b/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home-icmp + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftcert=carolCert.pem + leftprotoport=icmp + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightprotoport=icmp + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fd67e2b4b --- /dev/null +++ b/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw-icmp + left=PH_IP_MOON + leftnexthop=%direct + leftsubnet=10.1.0.0/16 + leftprotoport=icmp + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftfirewall=yes + lefthostaccess=yes + right=%any + rightprotoport=icmp + auto=add diff --git a/testing/tests/protoport-pass/posttest.dat b/testing/tests/protoport-pass/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/protoport-pass/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/protoport-pass/pretest.dat b/testing/tests/protoport-pass/pretest.dat new file mode 100644 index 000000000..13b4ad4a0 --- /dev/null +++ b/testing/tests/protoport-pass/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT +moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT +carol::/etc/init.d/iptables start 2> /dev/null +carol::iptables -I INPUT -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT +carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home-icmp diff --git a/testing/tests/protoport-pass/test.conf b/testing/tests/protoport-pass/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/protoport-pass/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/protoport-route/description.txt b/testing/tests/protoport-route/description.txt new file mode 100644 index 000000000..ec7ec69b0 --- /dev/null +++ b/testing/tests/protoport-route/description.txt @@ -0,0 +1,8 @@ +Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels +between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are +defined. The first IPsec SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. Using <b>add=route</b> %trap +eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending +a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute +is triggered and the corresponding IPsec tunnel is set up. In the same +way an ssh session to <b>alice</b> over the second IPsec SA is established. diff --git a/testing/tests/protoport-route/evaltest.dat b/testing/tests/protoport-route/evaltest.dat new file mode 100644 index 000000000..8f3eb208f --- /dev/null +++ b/testing/tests/protoport-route/evaltest.dat @@ -0,0 +1,8 @@ +carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES +carol::ping -c 2 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq::YES +carol::ssh PH_IP_ALICE hostname::alice::YES +carol::cat /var/log/auth.log::initiate on demand::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..31c25c12f --- /dev/null +++ b/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=route + +conn home-icmp + leftprotoport=icmp + rightprotoport=icmp + +conn home-ssh + leftprotoport=tcp + rightprotoport=tcp/ssh diff --git a/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..84b9b0ba3 --- /dev/null +++ b/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + auto=add + +conn rw-icmp + lefthostaccess=yes + leftprotoport=icmp + rightprotoport=icmp + +conn rw-ssh + leftprotoport=tcp/ssh + rightprotoport=tcp diff --git a/testing/tests/protoport-route/posttest.dat b/testing/tests/protoport-route/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/protoport-route/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/protoport-route/pretest.dat b/testing/tests/protoport-route/pretest.dat new file mode 100644 index 000000000..f233ad48f --- /dev/null +++ b/testing/tests/protoport-route/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ssh PH_IP_ALICE hostname diff --git a/testing/tests/protoport-route/test.conf b/testing/tests/protoport-route/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/protoport-route/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/req-pkcs10/description.txt b/testing/tests/req-pkcs10/description.txt new file mode 100644 index 000000000..a958cb8e8 --- /dev/null +++ b/testing/tests/req-pkcs10/description.txt @@ -0,0 +1,11 @@ +Both the roadwarrior <b>carol</b> and the gateway <b>moon</b> generate a +PKCS#1 RSA private key and a PKCS#10 certificate request using the +<b>ipsec scepclient</b> function. Because the UML testing environment +does not offer enough entropy, the non-blocking /dev/urandom device is +used in place of /dev/random for generating the random primes. +<p> +The certificate requests are copied to <b>winnetou</b> where a certification +authority based on OpenSSL issues X.509 certificates by verifying and +signing the PCKS#10 requests. The certificates are then copied back to +the corresponding hosts and used to set up a road warrior connection +initiated by <b>carol</b> diff --git a/testing/tests/req-pkcs10/evaltest.dat b/testing/tests/req-pkcs10/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/req-pkcs10/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..58e2f1e5b --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=myCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..167d743df --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA myKey.der diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf new file mode 100644 index 000000000..6afd3fa11 --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf @@ -0,0 +1,3 @@ +--debug-control +--out pkcs1 +--out pkcs10 diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b9ec17dbc --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.der diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf new file mode 100644 index 000000000..da8177348 --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf @@ -0,0 +1,4 @@ +--debug-control +--keylength 2064 +--out pkcs1=moonKey.der +--out pkcs10=moonReq.der diff --git a/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt new file mode 100644 index 000000000..9b48ee4cf --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt @@ -0,0 +1,2 @@ +y +y diff --git a/testing/tests/req-pkcs10/posttest.dat b/testing/tests/req-pkcs10/posttest.dat new file mode 100644 index 000000000..534e3af20 --- /dev/null +++ b/testing/tests/req-pkcs10/posttest.dat @@ -0,0 +1,13 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/reqs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/reqs/* +winnetou::rm /etc/openssl/carol* +winnetou::rm /etc/openssl/moon* diff --git a/testing/tests/req-pkcs10/pretest.dat b/testing/tests/req-pkcs10/pretest.dat new file mode 100644 index 000000000..18b8b16e6 --- /dev/null +++ b/testing/tests/req-pkcs10/pretest.dat @@ -0,0 +1,22 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::cat /etc/scepclient.conf +carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf +winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der +winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem +winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt +winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::cat /etc/scepclient.conf +moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf +winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/ +winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem +winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt +winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/req-pkcs10/test.conf b/testing/tests/req-pkcs10/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/req-pkcs10/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-cert/description.txt b/testing/tests/rw-cert/description.txt new file mode 100644 index 000000000..8df6b1c0d --- /dev/null +++ b/testing/tests/rw-cert/description.txt @@ -0,0 +1,6 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> pings the client +<b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/rw-cert/evaltest.dat b/testing/tests/rw-cert/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-cert/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-cert/posttest.dat b/testing/tests/rw-cert/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-cert/pretest.dat b/testing/tests/rw-cert/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/rw-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-cert/test.conf b/testing/tests/rw-cert/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-fqdn-named/description.txt b/testing/tests/rw-psk-fqdn-named/description.txt new file mode 100644 index 000000000..adfab2f4d --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/description.txt @@ -0,0 +1,11 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is +based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. +<p> +The significant difference between this scenario and the test +<a href="../rw-psk-fqdn"><b>rw-psk-fqdn</b></a> +is the additional line <b>rightid=@carol.strongswan.org</b> by which gateway +<b>moon</b> restricts the roadwarrior connection to host <b>carol</b>. +</p> diff --git a/testing/tests/rw-psk-fqdn-named/evaltest.dat b/testing/tests/rw-psk-fqdn-named/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..da5e198a8 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftid=@carol.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..db3884e57 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..c32dfaf9b --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw-carol + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightid=@carol.strongswan.org + auto=add diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..6281340ae --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn-named/posttest.dat b/testing/tests/rw-psk-fqdn-named/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-psk-fqdn-named/pretest.dat b/testing/tests/rw-psk-fqdn-named/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-fqdn-named/test.conf b/testing/tests/rw-psk-fqdn-named/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-fqdn/description.txt b/testing/tests/rw-psk-fqdn/description.txt new file mode 100644 index 000000000..d6c79afb2 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is +based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. diff --git a/testing/tests/rw-psk-fqdn/evaltest.dat b/testing/tests/rw-psk-fqdn/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-psk-fqdn/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..da5e198a8 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftid=@carol.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..db3884e57 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..9a894806c --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..6281340ae --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn/posttest.dat b/testing/tests/rw-psk-fqdn/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-psk-fqdn/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-psk-fqdn/pretest.dat b/testing/tests/rw-psk-fqdn/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-fqdn/test.conf b/testing/tests/rw-psk-fqdn/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-ipv4/description.txt b/testing/tests/rw-psk-ipv4/description.txt new file mode 100644 index 000000000..b3a0bc192 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is +based on <b>Preshared Keys</b> (PSK) and <b>IPv4 addresses</b> (ID_IPV4_ADDR). +<b>firewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> +behind the gateway <b>moon</b>. diff --git a/testing/tests/rw-psk-ipv4/evaltest.dat b/testing/tests/rw-psk-ipv4/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2c0227b7a --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..69313b289 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a75d4e222 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..a8e367950 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-ipv4/posttest.dat b/testing/tests/rw-psk-ipv4/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-psk-ipv4/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-psk-ipv4/pretest.dat b/testing/tests/rw-psk-ipv4/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-ipv4/test.conf b/testing/tests/rw-psk-ipv4/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-no-policy/description.txt b/testing/tests/rw-psk-no-policy/description.txt new file mode 100644 index 000000000..0e359414f --- /dev/null +++ b/testing/tests/rw-psk-no-policy/description.txt @@ -0,0 +1,3 @@ +The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using +<b>PSK</b>-based authentication. Since <b>moon</b> supports <b>RSASIG</b>-based +authentication only, the connection setup fails. diff --git a/testing/tests/rw-psk-no-policy/evaltest.dat b/testing/tests/rw-psk-no-policy/evaltest.dat new file mode 100644 index 000000000..a28377dbd --- /dev/null +++ b/testing/tests/rw-psk-no-policy/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::peer requests PSK authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES +moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO + diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..413eff762 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + authby=secret + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..1b721dc58 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ac63abdc9 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-psk-no-policy/posttest.dat b/testing/tests/rw-psk-no-policy/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/rw-psk-no-policy/pretest.dat b/testing/tests/rw-psk-no-policy/pretest.dat new file mode 100644 index 000000000..3a7804ddd --- /dev/null +++ b/testing/tests/rw-psk-no-policy/pretest.dat @@ -0,0 +1,5 @@ +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-no-policy/test.conf b/testing/tests/rw-psk-no-policy/test.conf new file mode 100644 index 000000000..f622c18b7 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-rsa-mixed/description.txt b/testing/tests/rw-psk-rsa-mixed/description.txt new file mode 100644 index 000000000..b99a8e5b3 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/description.txt @@ -0,0 +1,5 @@ +The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>. +<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s +is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes +and automatically selects the correct roadwarrior connection definition based on policy +information gained from pre-parsing the peers' ISAKMP proposal payload. diff --git a/testing/tests/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/rw-psk-rsa-mixed/evaltest.dat new file mode 100644 index 000000000..9e1354121 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::peer requests PSK authentication::YES +moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES + diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..69e13b538 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes128,serpent128,twofish128,3des + +conn home + authby=secret + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..1b721dc58 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b23248b5b --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + +conn rw-rsasig + authby=rsasig + leftcert=moonCert.pem + auto=add + +conn rw-psk + authby=secret + auto=add diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..fd33507a7 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: RSA moonKey.pem diff --git a/testing/tests/rw-psk-rsa-mixed/posttest.dat b/testing/tests/rw-psk-rsa-mixed/posttest.dat new file mode 100644 index 000000000..ed530f6d9 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/rw-psk-rsa-mixed/pretest.dat b/testing/tests/rw-psk-rsa-mixed/pretest.dat new file mode 100644 index 000000000..35797b589 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/pretest.dat @@ -0,0 +1,7 @@ +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/rw-psk-rsa-mixed/test.conf b/testing/tests/rw-psk-rsa-mixed/test.conf new file mode 100644 index 000000000..699b88e88 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol dave winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/rw-rsa-no-policy/description.txt b/testing/tests/rw-rsa-no-policy/description.txt new file mode 100644 index 000000000..c3336b769 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/description.txt @@ -0,0 +1,3 @@ +The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using +<b>RSASIG</b>-based authentication. Since <b>moon</b> supports <b>PSK</b>-based +authentication only, the connection setup fails. diff --git a/testing/tests/rw-rsa-no-policy/evaltest.dat b/testing/tests/rw-rsa-no-policy/evaltest.dat new file mode 100644 index 000000000..188b7bbb5 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES +moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO + diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b9318c058 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw-psk + authby=secret + left=PH_IP_MOON + leftnexthop=%direct + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e8c151f05 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/rw-rsa-no-policy/posttest.dat b/testing/tests/rw-rsa-no-policy/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/rw-rsa-no-policy/pretest.dat b/testing/tests/rw-rsa-no-policy/pretest.dat new file mode 100644 index 000000000..0d2a0dd1f --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/pretest.dat @@ -0,0 +1,5 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-rsa-no-policy/test.conf b/testing/tests/rw-rsa-no-policy/test.conf new file mode 100644 index 000000000..f622c18b7 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/self-signed/description.txt b/testing/tests/self-signed/description.txt new file mode 100644 index 000000000..2d7bfc2bf --- /dev/null +++ b/testing/tests/self-signed/description.txt @@ -0,0 +1,8 @@ +Roadwarrior <b>carol</b> and gateway <b>moon</b> each generate a +PKCS#1 RSA private key and a self-signed X.509 certificate +using the <b>ipsec scepclient</b> function. Because the UML testing +environment does not offer enough entropy, the non-blocking /dev/urandom +device is used in place of /dev/random for generating the random primes. +<p> +The self-signed certificates are then distributed to the peers via scp +and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/self-signed/evaltest.dat b/testing/tests/self-signed/evaltest.dat new file mode 100644 index 000000000..f190d7066 --- /dev/null +++ b/testing/tests/self-signed/evaltest.dat @@ -0,0 +1,7 @@ +carol::cat /var/log/auth.log::we have a cert but are not sending it::YES +moon::cat /var/log/auth.log::we have a cert but are not sending it::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/self-signed/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..fcf7a1754 --- /dev/null +++ b/testing/tests/self-signed/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=peerCert.der + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..167d743df --- /dev/null +++ b/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA myKey.der diff --git a/testing/tests/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/self-signed/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..13ad3063f --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/init.d/iptables @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/self-signed/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7d7f42b06 --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn carol + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsendcert=never + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + rightcert=carolCert.der + auto=add + diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b9ec17dbc --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.der diff --git a/testing/tests/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/self-signed/hosts/moon/etc/scepclient.conf new file mode 100644 index 000000000..b84f3e131 --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/scepclient.conf @@ -0,0 +1,6 @@ +--debug-control +--keylength 2032 +--days 1460 +--subjectAltName dns=moon.strongswan.org +--out pkcs1=moonKey.der +--out cert-self=moonCert.der diff --git a/testing/tests/self-signed/posttest.dat b/testing/tests/self-signed/posttest.dat new file mode 100644 index 000000000..52b48b9ef --- /dev/null +++ b/testing/tests/self-signed/posttest.dat @@ -0,0 +1,10 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/self-signed/pretest.dat b/testing/tests/self-signed/pretest.dat new file mode 100644 index 000000000..a7cddf677 --- /dev/null +++ b/testing/tests/self-signed/pretest.dat @@ -0,0 +1,17 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec scepclient --out pkcs1 --out cert-self +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/scepclient.conf +moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf +moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der +moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/self-signed/test.conf b/testing/tests/self-signed/test.conf new file mode 100644 index 000000000..0baa48d90 --- /dev/null +++ b/testing/tests/self-signed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/starter-also-loop/description.txt b/testing/tests/starter-also-loop/description.txt new file mode 100644 index 000000000..7451f4e12 --- /dev/null +++ b/testing/tests/starter-also-loop/description.txt @@ -0,0 +1,4 @@ +This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but +uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define +the connections in a modular form. A closed also loop created by including +<b>conn host-host</b> in <b>conn moon</b> is successfully detected. diff --git a/testing/tests/starter-also-loop/evaltest.dat b/testing/tests/starter-also-loop/evaltest.dat new file mode 100644 index 000000000..161772f8e --- /dev/null +++ b/testing/tests/starter-also-loop/evaltest.dat @@ -0,0 +1,3 @@ +moon::cat /var/log/auth.log::detected also loop::YES +moon::cat /var/log/auth.log::errors in config::YES + diff --git a/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e1d210253 --- /dev/null +++ b/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf @@ -0,0 +1,48 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + also=host-host + also=moon-net + also=sun-net + +conn host-host + also=moon + also=sun + auto=add + +conn rw + right=%any + also=moon + also=moon-net + auto=add + +conn moon + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + also=host-host + +conn moon-net + leftsubnet=10.1.0.0/16 + +conn sun + right=192.168.0.2 + rightid=@sun.strongswan.org + +conn sun-net + rightsubnet=10.2.0.0/16 diff --git a/testing/tests/starter-also-loop/posttest.dat b/testing/tests/starter-also-loop/posttest.dat new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/testing/tests/starter-also-loop/posttest.dat diff --git a/testing/tests/starter-also-loop/pretest.dat b/testing/tests/starter-also-loop/pretest.dat new file mode 100644 index 000000000..aa46124dc --- /dev/null +++ b/testing/tests/starter-also-loop/pretest.dat @@ -0,0 +1 @@ +moon::ipsec start --debug-all diff --git a/testing/tests/starter-also-loop/test.conf b/testing/tests/starter-also-loop/test.conf new file mode 100644 index 000000000..e7735308f --- /dev/null +++ b/testing/tests/starter-also-loop/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon" diff --git a/testing/tests/starter-also/description.txt b/testing/tests/starter-also/description.txt new file mode 100644 index 000000000..3d4ff7dbf --- /dev/null +++ b/testing/tests/starter-also/description.txt @@ -0,0 +1,3 @@ +This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but +uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define +the connections in a modular form. diff --git a/testing/tests/starter-also/evaltest.dat b/testing/tests/starter-also/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/starter-also/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/starter-also/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..74d009cfa --- /dev/null +++ b/testing/tests/starter-also/hosts/moon/etc/ipsec.conf @@ -0,0 +1,47 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + also=host-host + also=moon-net + also=sun-net + +conn host-host + also=moon + also=sun + auto=add + +conn rw + right=%any + also=moon + also=moon-net + auto=add + +conn moon + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn moon-net + leftsubnet=10.1.0.0/16 + +conn sun + right=192.168.0.2 + rightid=@sun.strongswan.org + +conn sun-net + rightsubnet=10.2.0.0/16 diff --git a/testing/tests/starter-also/posttest.dat b/testing/tests/starter-also/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/starter-also/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/starter-also/pretest.dat b/testing/tests/starter-also/pretest.dat new file mode 100644 index 000000000..4f96e61df --- /dev/null +++ b/testing/tests/starter-also/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start --debug-all +sleep 2 +carol::ipsec up home diff --git a/testing/tests/starter-also/test.conf b/testing/tests/starter-also/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/starter-also/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/starter-includes/description.txt b/testing/tests/starter-includes/description.txt new file mode 100644 index 000000000..6a05c0cca --- /dev/null +++ b/testing/tests/starter-includes/description.txt @@ -0,0 +1,6 @@ +This test is based on the <a href="../mode-config">mode-config</a> +scenario and demonstrates the multiple use of the <b>include</b> +parameter in IPsec configuration files. At the top level <b>/etc/ipsec.conf</b> +defines the config setup section and includes <b>/etc/ipsec.connections</b> +which in turn includes <b>/etc/ipsec.host</b> and <b>/etc/ipsec.peers/*</b> +thereby showing the use of wildcards in path definitions. diff --git a/testing/tests/starter-includes/evaltest.dat b/testing/tests/starter-includes/evaltest.dat new file mode 100644 index 000000000..be8ca6ef5 --- /dev/null +++ b/testing/tests/starter-includes/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES diff --git a/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..598997b45 --- /dev/null +++ b/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..da601389c --- /dev/null +++ b/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..aa9116252 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf @@ -0,0 +1,10 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +include /etc/ipsec.connections diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections new file mode 100644 index 000000000..7cd938628 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections @@ -0,0 +1,12 @@ +# /etc/ipsec.connections - connection definitions + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +include /etc/ipsec.host + +include /etc/ipsec.peers/* + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/starter-includes/hosts/moon/etc/ipsec.host new file mode 100755 index 000000000..e84e5cdc6 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.host @@ -0,0 +1,11 @@ +# /etc/ipsec.host - my host configuration + +conn %default + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP1_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol new file mode 100644 index 000000000..9212a9e96 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol @@ -0,0 +1,8 @@ +# /etc/ipsec.peers/ipsec.carol - connection from carol + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP1_CAROL + auto=add + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave new file mode 100644 index 000000000..482d15a21 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave @@ -0,0 +1,8 @@ +# /etc/ipsec.peers/ipsec.dave - connection from dave + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP1_DAVE + auto=add + diff --git a/testing/tests/starter-includes/posttest.dat b/testing/tests/starter-includes/posttest.dat new file mode 100644 index 000000000..121aa8aea --- /dev/null +++ b/testing/tests/starter-includes/posttest.dat @@ -0,0 +1,13 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +dave::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 +dave::ip addr del PH_IP1_DAVE/32 dev eth0 +moon::rm /etc/ipsec.connections /etc/ipsec.host +moon::rm -r /etc/ipsec.peers diff --git a/testing/tests/starter-includes/pretest.dat b/testing/tests/starter-includes/pretest.dat new file mode 100644 index 000000000..0af79a6d2 --- /dev/null +++ b/testing/tests/starter-includes/pretest.dat @@ -0,0 +1,10 @@ +moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/* +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start --debug-all +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/starter-includes/test.conf b/testing/tests/starter-includes/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/starter-includes/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/virtual-ip-swapped/description.txt b/testing/tests/virtual-ip-swapped/description.txt new file mode 100644 index 000000000..230906c5d --- /dev/null +++ b/testing/tests/virtual-ip-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test <a href="../virtual-ip/"><b>virtual-ip</b></a> but with +swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas +<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/virtual-ip-swapped/evaltest.dat b/testing/tests/virtual-ip-swapped/evaltest.dat new file mode 100644 index 000000000..5160a340f --- /dev/null +++ b/testing/tests/virtual-ip-swapped/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES diff --git a/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..0e239b707 --- /dev/null +++ b/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_CAROL + rightsourceip=PH_IP1_CAROL + rightnexthop=%direct + rightcert=carolCert.pem + rightid=carol@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..db6effbac --- /dev/null +++ b/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + right=PH_IP_MOON + rightsourceip=PH_IP1_MOON + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightfirewall=yes + leftsubnetwithin=10.3.0.0/16 + left=%any + auto=add diff --git a/testing/tests/virtual-ip-swapped/posttest.dat b/testing/tests/virtual-ip-swapped/posttest.dat new file mode 100644 index 000000000..ac5c7dd82 --- /dev/null +++ b/testing/tests/virtual-ip-swapped/posttest.dat @@ -0,0 +1,7 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 diff --git a/testing/tests/virtual-ip-swapped/pretest.dat b/testing/tests/virtual-ip-swapped/pretest.dat new file mode 100644 index 000000000..4fe0ee90b --- /dev/null +++ b/testing/tests/virtual-ip-swapped/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/virtual-ip-swapped/test.conf b/testing/tests/virtual-ip-swapped/test.conf new file mode 100644 index 000000000..f106524e2 --- /dev/null +++ b/testing/tests/virtual-ip-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/virtual-ip/description.txt b/testing/tests/virtual-ip/description.txt new file mode 100644 index 000000000..4ec6021ea --- /dev/null +++ b/testing/tests/virtual-ip/description.txt @@ -0,0 +1,8 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. Both <b>carol</b> +and <b>moon</b> define a static virtual IP using the <b>leftsourceip</b> parameter. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b> +behind the gateway <b>moon</b> as well as the inner interface of the gateway. The source IP +of the two pings will be the virtual IP <b>carol1</b>. Also thanks to its virtual IP <b>moon1</b> +the gateway <b>moon</b> is able to ping <b>carol1</b> by using the existing subnet-subnet IPsec +tunnel. diff --git a/testing/tests/virtual-ip/evaltest.dat b/testing/tests/virtual-ip/evaltest.dat new file mode 100644 index 000000000..5160a340f --- /dev/null +++ b/testing/tests/virtual-ip/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES diff --git a/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2f1170a6b --- /dev/null +++ b/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=PH_IP1_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..1cd8aab25 --- /dev/null +++ b/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftsourceip=PH_IP1_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + rightsubnetwithin=10.3.0.0/16 + right=%any + auto=add diff --git a/testing/tests/virtual-ip/posttest.dat b/testing/tests/virtual-ip/posttest.dat new file mode 100644 index 000000000..ac5c7dd82 --- /dev/null +++ b/testing/tests/virtual-ip/posttest.dat @@ -0,0 +1,7 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 diff --git a/testing/tests/virtual-ip/pretest.dat b/testing/tests/virtual-ip/pretest.dat new file mode 100644 index 000000000..4fe0ee90b --- /dev/null +++ b/testing/tests/virtual-ip/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/virtual-ip/test.conf b/testing/tests/virtual-ip/test.conf new file mode 100644 index 000000000..f106524e2 --- /dev/null +++ b/testing/tests/virtual-ip/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/wildcards/description.txt b/testing/tests/wildcards/description.txt new file mode 100644 index 000000000..e485f7066 --- /dev/null +++ b/testing/tests/wildcards/description.txt @@ -0,0 +1,8 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of wildcard parameters that must match the subject +<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to +<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b> +can only be reached with a DN containing OU=Accounting. The roadwarriors +<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting', +respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b> +can reach <b>venus</b>. diff --git a/testing/tests/wildcards/evaltest.dat b/testing/tests/wildcards/evaltest.dat new file mode 100644 index 000000000..cbc94b75a --- /dev/null +++ b/testing/tests/wildcards/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/wildcards/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..de179c565 --- /dev/null +++ b/testing/tests/wildcards/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/wildcards/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..2fb6a301e --- /dev/null +++ b/testing/tests/wildcards/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/wildcards/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ee7bc8115 --- /dev/null +++ b/testing/tests/wildcards/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*" + auto=add + diff --git a/testing/tests/wildcards/posttest.dat b/testing/tests/wildcards/posttest.dat new file mode 100644 index 000000000..ed530f6d9 --- /dev/null +++ b/testing/tests/wildcards/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/wildcards/pretest.dat b/testing/tests/wildcards/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/wildcards/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/wildcards/test.conf b/testing/tests/wildcards/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/wildcards/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/wlan/description.txt b/testing/tests/wlan/description.txt new file mode 100644 index 000000000..e018148bd --- /dev/null +++ b/testing/tests/wlan/description.txt @@ -0,0 +1,15 @@ +The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic +by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is +<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network +is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from +<b>alice</b> to <b>venus</b> tunneled via <b>moon</b> and to both the internal +and external interface of gateway <b>moon</b>. Access to the gateway is +set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>. +At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router. +<p> +The host system controls the UML instances <b>alice</b> and <b>carol</b> via +ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up +the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel +to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted +to the ssh port is statically set up by <b>conn system</b>. + diff --git a/testing/tests/wlan/evaltest.dat b/testing/tests/wlan/evaltest.dat new file mode 100644 index 000000000..ccf5d0c8a --- /dev/null +++ b/testing/tests/wlan/evaltest.dat @@ -0,0 +1,11 @@ +alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +alice::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES +alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::tcpdump::ESP::YES +sun::tcpdump::icmp::YES diff --git a/testing/tests/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/wlan/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..86a76e2db --- /dev/null +++ b/testing/tests/wlan/hosts/alice/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/wlan/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..a658e4fe8 --- /dev/null +++ b/testing/tests/wlan/hosts/alice/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn system + left=PH_IP_ALICE + leftprotoport=tcp/ssh + leftnexthop=%direct + authby=never + type=passthrough + right=10.1.0.254 + rightprotoport=tcp + auto=route + +conn wlan + left=PH_IP_ALICE + leftnexthop=%direct + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP1_MOON + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + diff --git a/testing/tests/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/wlan/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..e95ef44c6 --- /dev/null +++ b/testing/tests/wlan/hosts/moon/etc/init.d/iptables @@ -0,0 +1,82 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth1 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # enable SNAT + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/wlan/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f873479e8 --- /dev/null +++ b/testing/tests/wlan/hosts/moon/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn alice + right=PH_IP_ALICE + rightid=alice@strongswan.org + also=wlan + auto=add + +conn venus + right=PH_IP_VENUS + rightid=@venus.strongswan.org + also=wlan + auto=add + +conn wlan + left=PH_IP1_MOON + leftnexthop=%direct + leftsubnet=0.0.0.0/0 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + lefthostaccess=yes + diff --git a/testing/tests/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/wlan/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..6f95e7576 --- /dev/null +++ b/testing/tests/wlan/hosts/venus/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/wlan/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..742c1dbce --- /dev/null +++ b/testing/tests/wlan/hosts/venus/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn system + left=PH_IP_VENUS + leftprotoport=tcp/ssh + leftnexthop=%direct + authby=never + type=passthrough + right=10.1.0.254 + rightprotoport=tcp + auto=route + +conn wlan + left=PH_IP_VENUS + leftnexthop=%direct + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + right=PH_IP1_MOON + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + diff --git a/testing/tests/wlan/posttest.dat b/testing/tests/wlan/posttest.dat new file mode 100644 index 000000000..cc873d1ff --- /dev/null +++ b/testing/tests/wlan/posttest.dat @@ -0,0 +1,10 @@ +alice::iptables -v -n -L +venus::iptables -v -n -L +moon::iptables -t nat -v -n -L POSTROUTING +moon::iptables -v -n -L +moon::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +moon::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/wlan/pretest.dat b/testing/tests/wlan/pretest.dat new file mode 100644 index 000000000..de4a6ad31 --- /dev/null +++ b/testing/tests/wlan/pretest.dat @@ -0,0 +1,11 @@ +moon::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +alice::ipsec start +venus::ipsec start +alice::sleep 2 +alice::ipsec up wlan +venus::sleep 2 +venus::ipsec up wlan +venus::sleep 2 diff --git a/testing/tests/wlan/test.conf b/testing/tests/wlan/test.conf new file mode 100644 index 000000000..b141c4f1b --- /dev/null +++ b/testing/tests/wlan/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon:eth1 sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus moon" |