diff options
Diffstat (limited to 'testing/tests')
165 files changed, 1869 insertions, 25 deletions
diff --git a/testing/tests/ikev1/net2net-fragmentation/description.txt b/testing/tests/ikev1/net2net-fragmentation/description.txt new file mode 100644 index 000000000..6fe773299 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/description.txt @@ -0,0 +1,9 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b>. The proprietary IKEv1 fragmentation +protocol prevents the IP fragmentation of the IKEv1 messages carrying the large X.509 +certificates. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-fragmentation/evaltest.dat b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat new file mode 100644 index 000000000..876787495 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/evaltest.dat @@ -0,0 +1,15 @@ +moon::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES +sun::cat /var/log/daemon.log::received FRAGMENTATION vendor ID::YES +moon::cat /var/log/daemon.log::sending IKE message with length of 1468 bytes in 2 fragments::YES +sun::cat /var/log/daemon.log::sending IKE message with length of 1388 bytes in 2 fragments::YES +moon::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES +moon::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES +sun::cat /var/log/daemon.log::received fragment #1, waiting for complete IKE message::YES +sun::cat /var/log/daemon.log::received fragment #2, reassembling fragmented IKE message::YES +moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..cdd430408 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..9caf4fa37 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1024 +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..448525bf7 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + fragmentation=yes + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..9caf4fa37 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + + fragment_size = 1024 +} + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/net2net-fragmentation/posttest.dat b/testing/tests/ikev1/net2net-fragmentation/posttest.dat new file mode 100644 index 000000000..837738fc6 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush + diff --git a/testing/tests/ikev1/net2net-fragmentation/pretest.dat b/testing/tests/ikev1/net2net-fragmentation/pretest.dat new file mode 100644 index 000000000..c724e5df8 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-fragmentation/test.conf b/testing/tests/ikev1/net2net-fragmentation/test.conf new file mode 100644 index 000000000..646b8b3e6 --- /dev/null +++ b/testing/tests/ikev1/net2net-fragmentation/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt new file mode 100644 index 000000000..7e8e7a69b --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/description.txt @@ -0,0 +1,5 @@ +The host <b>carol</b> sets up a tunnel connection to gateway <b>moon</b>. It requests +both an IPv4 and an IPv6 <b>virtual IP</b> via the IKEv2 configuration payload by using +<b>leftsourceip=%config4,%config6</b>. Gateway <b>moon</b> assigns virtual IPs addresses +from persistent pools stored in an SQL database using the <b>rightsourceip</b> option. +The established tunnel carries both IPv4 and IPv6 in an IPv4 encapsulated tunnel. diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat new file mode 100644 index 000000000..0bf3500b5 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +carol::cat /var/log/daemon.log::installing new virtual IP fec3:\:1::YES +carol::cat /var/log/daemon.log::TS 10.3.0.1/32 fec3:\:1/128 === 10.1.0.0/16 fec1:\:/16::YES +carol::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_req=1::YES +carol::ping6 -c 1 ip6-alice.strongswan.org::64 bytes from ip6-alice.strongswan.org: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d19399def --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftsourceip=%config4,%config6 + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0,::/0 + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..85d8c191f --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..04a74fd44 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16,fec1::0/16 + rightsourceip=%v4_pool,%v6_pool + right=%any + auto=add diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..73b0cb7be --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql +} + +libhydra { + plugins { + attr-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } +} + +pool { + load = sqlite +} diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat new file mode 100644 index 000000000..311e9f21d --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/posttest.dat @@ -0,0 +1,5 @@ +alice::ip -6 route del default via fec1:\:1 +carol::ipsec stop +moon::ipsec stop +moon::conntrack -F +moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat new file mode 100644 index 000000000..e3d8f4a78 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/pretest.dat @@ -0,0 +1,9 @@ +moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::ipsec pool --add v4_pool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null +moon::ipsec pool --add v6_pool --start fec3:\:1 --end fec3:\:fe --timeout 48 2> /dev/null +alice::ip -6 route add default via fec1:\:1 +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf new file mode 100644 index 000000000..cd03759f0 --- /dev/null +++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/net2net-dnssec/description.txt b/testing/tests/ikev2/net2net-dnssec/description.txt new file mode 100644 index 000000000..9893359c0 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b> +resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-dnssec/evaltest.dat b/testing/tests/ikev2/net2net-dnssec/evaltest.dat new file mode 100644 index 000000000..389cac7f3 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/evaltest.dat @@ -0,0 +1,9 @@ +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*sun.strongswan.org::YES +sun:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..6c11645f9 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftid=moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftrsasigkey=moonPub.der + leftauth=pubkey + leftfirewall=yes + right=sun.strongswan.org + rightid=sun.strongswan.org + rightsubnet=10.2.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der Binary files differnew file mode 100644 index 000000000..71571044c --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..44a54a9dd --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown + + plugins { + ipseckey { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..76e41cd47 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftid=sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftrsasigkey=sunPub.der + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der Binary files differnew file mode 100644 index 000000000..cc99934db --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/certs/sunPub.der diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..44a54a9dd --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown + + plugins { + ipseckey { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnssec/posttest.dat b/testing/tests/ikev2/net2net-dnssec/posttest.dat new file mode 100644 index 000000000..c594c4dc8 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/resolv.conf +sun::rm /etc/resolv.conf +moon::rm /etc/ipsec.d/dnssec.keys +sun::rm /etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnssec/pretest.dat b/testing/tests/ikev2/net2net-dnssec/pretest.dat new file mode 100644 index 000000000..0f4ae0f4f --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnssec/test.conf b/testing/tests/ikev2/net2net-dnssec/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/ikev2/net2net-dnssec/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/rw-dnssec/description.txt b/testing/tests/ikev2/rw-dnssec/description.txt new file mode 100644 index 000000000..0135f078c --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/description.txt @@ -0,0 +1,10 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The authentication is based on trustworthy public keys stored as <b>IPSECKEY</b> +resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>. +</p> +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKEv2 configuration payload +by using the <b>leftsourceip=%config</b> parameter. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway +<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b> +and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev2/rw-dnssec/evaltest.dat b/testing/tests/ikev2/rw-dnssec/evaltest.dat new file mode 100644 index 000000000..49183fb42 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/evaltest.dat @@ -0,0 +1,24 @@ +carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol.strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave.strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES +moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..70deaa036 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftsourceip=%config + leftid=carol.strongswan.org + leftrsasigkey="0sAwEAAdBdWU+BF7x4lyo+xHnr4UAOU89yQQuT5vdPoXzx6kRPsjYAuuktgXR+SaLkQHw/YRgDPSKj5nzmmlOQf/rWRr+8O2q+C92aUICmkNvZGamo5w2WlOMZ6T5dk2Hv+QM6xT/GzWyVr1dMYu/7tywD1Bw7aW/HqkRESDu6q95VWu+Lzg6XlxCNEez0YsZrN/fC6BL2qzKAqMBbIHFW8OOnh+nEY4IF5AzkZnFrw12GI72Z882pw97lyKwZhSz/GMQFBJx+rnNdw5P1IJwTlG5PUdoDCte/Mcr1iiA+zOovx55x1GoGxduoXWU5egrf1MtalRf9Pc8Xr4q3WEKTAmsZrVE=" + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..825af9dd0 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..24ffdd3b1 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftsourceip=%config + leftid=dave.strongswan.org + leftrsasigkey="0sAwEAAcAH8lNvBVjmg0XT7wF6F1tzQ055f5uXRI5yClmFrqdswFA7jWO04jmvlduD2wr2X4Ng6dlBkSwSEhVkOgrzIYj8UgQT6BZF/44uYjyTYr4bV2SVML9U/a1lYxBhBazpSdfeKJWkdxwjcJCqolZ719mwiyrQn2P2G7qH10YgRuifpFcMs8jkMiIgpzevSMMc0OwhQPNyO5R0LEoUIy4dQJ9rU8GKqmPmk/pdPQaAjpSNuCc1Y9M9vZrETs/XHmBCZXCIWJiz5VOHZ+r073E3Gef9ibMuTj9g2XLvFhdDfU26FK9GkfuOwnWnhVK66diq9xw9Qqynk+8K0J4a81Paq3U=" + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..825af9dd0 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a199a4824 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=moon.strongswan.org + leftauth=pubkey + leftrsasigkey=moonPub.der + leftfirewall=yes + right=%any + rightauth=pubkey + rightsourceip=10.3.0.0/24 + auto=add diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der Binary files differnew file mode 100644 index 000000000..71571044c --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/certs/moonPub.der diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..644ac3d6a --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS + + plugins { + ipseckey { + enable = yes + } + } +} diff --git a/testing/tests/ikev2/rw-dnssec/posttest.dat b/testing/tests/ikev2/rw-dnssec/posttest.dat new file mode 100644 index 000000000..3d55e09f9 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/posttest.dat @@ -0,0 +1,12 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +moon:rm /etc/resolv.conf +carol:rm /etc/resolv.conf +dave:rm /etc/resolv.conf +moon:rm /etc/ipsec.d/dnssec.key +carol:rm /etc/ipsec.d/dnssec.key +dave:rm /etc/ipse.cd/dnssec.key diff --git a/testing/tests/ikev2/rw-dnssec/pretest.dat b/testing/tests/ikev2/rw-dnssec/pretest.dat new file mode 100644 index 000000000..40eaede87 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/pretest.dat @@ -0,0 +1,13 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev2/rw-dnssec/test.conf b/testing/tests/ikev2/rw-dnssec/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev2/rw-dnssec/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt new file mode 100644 index 000000000..46ffc0611 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/description.txt @@ -0,0 +1,9 @@ +The roadwarriors <b>carol</b> an <b>dave</b> set up a connection to gateway +<b>moon</b>. At the outset the gateway authenticates itself to the client by +sending an IKEv2 <b>RSA signature</b> accompanied by a certificate. +<b>carol</b> and <b>dave</b> then use the <b>EAP-MD5</b> protocol to authenticate +against the gateway <b>moon</b>. +<p/> +The roadwarriors <b>carol</b> and <b>dave</b> request a virtual IP which is +assigned by the RADIUS server <b>alice</b> using the <b>Framed-IP-Address</b> +RADIUS attribute. diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat new file mode 100644 index 000000000..1460ec8f9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/evaltest.dat @@ -0,0 +1,26 @@ +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*carol::YES +carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_CAROL.* with EAP successful::YES +moon ::ipsec status 2> /dev/null::rw-eap\[1]: ESTABLISHED.*moon.strongswan.org.*PH_IP_CAROL::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_CAROL.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::rw-eap[{]1}.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA signature successful::YES +moon ::cat /var/log/daemon.log::received EAP identity .*dave::YES +dave ::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with EAP successful::YES +moon ::cat /var/log/daemon.log::authentication of .*PH_IP_DAVE.* with EAP successful::YES +moon ::ipsec status 2> /dev/null::rw-eap\[2]: ESTABLISHED.*moon.strongswan.org.*PH_IP_DAVE::YES +dave ::ipsec status 2> /dev/null::home.*ESTABLISHED.*PH_IP_DAVE.*moon.strongswan.org::YES +moon ::ipsec status 2> /dev/null::rw-eap[{]2}.*INSTALLED, TUNNEL::YES +dave ::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave ::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..623f42904 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,5 @@ +eap { + default_eap_type = md5 + md5 { + } +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..783587b55 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm LOCAL { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..a67a5dcb4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,42 @@ +authorize { + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..ba92f0080 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/alice/etc/freeradius/users @@ -0,0 +1,4 @@ +carol Cleartext-Password := "Ar3etTnp" + Framed-IP-Address = 10.3.0.1 +dave Cleartext-Password := "W7R0g3do" + Framed-IP-Address = 10.3.0.2 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..ed908db4d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftauth=eap + leftfirewall=yes + leftsourceip=%config + eap_identity=carol + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23d79cf2e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b1b418060 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..97aa8bbff --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%any + leftauth=eap + leftfirewall=yes + leftsourceip=%config + eap_identity=dave + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=pubkey + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..02e0c9963 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b1b418060 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a3299393a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftsubnet=10.1.0.0/16 + leftfirewall=yes + rightsendcert=never + rightauth=eap-radius + rightsourceip=%radius + eap_identity=%any + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4297a3056 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + plugins { + eap-radius { + class_group = yes + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat new file mode 100644 index 000000000..670d2e72f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/posttest.dat @@ -0,0 +1,7 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::killall radiusd +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat new file mode 100644 index 000000000..698a719f7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::radiusd +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf new file mode 100644 index 000000000..5dfb41723 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou moon" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf index 881971e80..438e1c14c 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/ipsec.conf @@ -15,6 +15,7 @@ conn home leftid=carol@strongswan.org leftauth=eap leftfirewall=yes + leftsourceip=%config,%config6 eap_identity=carol right=PH_IP_MOON rightid=@moon.strongswan.org diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf index 8ce1721f5..7d4f94f48 100644 --- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/ipsec.conf @@ -19,6 +19,7 @@ conn rw-eap rightid=*@strongswan.org rightsendcert=never rightauth=eap-radius + rightsourceip=10.3.0.0/24,fec3::0/120 eap_identity=%any right=%any auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt new file mode 100644 index 000000000..cfa7a11b9 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/description.txt @@ -0,0 +1,16 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 certificate +functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> cryptographical +plugins <b>aes des sha1 sha2 md5 gmp hmac gcm</b> and <b>x509</b>. +<p/> +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite +<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-prfsha512-modp2048</b> +(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf, +respectively. +<p/> +Roadwarrior <b>dave</b> proposes to gateway <b>moon</b> the cipher suite +<b>AES_GCM_16_128</b> both for IKE and ESP by defining <b>ike=aes128gcm16-prfsha256-modp1536</b> +(or alternatively <b>aes128gcm128</b>) and <b>esp=aes128gcm16-modp1536</b> in ipsec.conf, +respectively. +<p/> +A ping by <b>carol</b> and <b>dave</b> to <b>alice</b> successfully checks the established tunnels. diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat new file mode 100644 index 000000000..4cf89b765 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/evaltest.dat @@ -0,0 +1,26 @@ +moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec statusall 2> /dev/null::rw\[1].*IKE proposal: AES_GCM_16_256::YES +moon:: ipsec statusall 2> /dev/null::rw\[2].*IKE proposal: AES_GCM_16_128::YES +carol::ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_256::YES +dave:: ipsec statusall 2> /dev/null::IKE proposal: AES_GCM_16_128::YES +moon:: ipsec statusall 2> /dev/null::rw[{]1}.*AES_GCM_16_256,::YES +moon:: ipsec statusall 2> /dev/null::rw[{]2}.*AES_GCM_16_128,::YES +carol::ipsec statusall 2> /dev/null::AES_GCM_16_256,::YES +dave:: ipsec statusall 2> /dev/null::AES_GCM_16_128,::YES +moon:: ip xfrm state::aead rfc4106(gcm(aes))::YES +carol::ip xfrm state::aead rfc4106(gcm(aes))::YES +dave:: ip xfrm state::aead rfc4106(gcm(aes))::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP.*length 184::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP.*length 184::YES + diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..c0016ff61 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256gcm128-prfsha512-modp2048! + esp=aes256gcm128-modp2048! + +conn home + left=PH_IP_CAROL + leftfirewall=yes + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..5481f7b72 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..335eda02c --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128gcm128-prfsha256-modp1536! + esp=aes128gcm128-modp1536! + +conn home + left=PH_IP_DAVE + leftfirewall=yes + leftcert=daveCert.pem + leftid=dave@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..564e4ea8c --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..566298bed --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes256gcm16-prfsha512-modp2048,aes128gcm16-prfsha256-modp1536! + esp=aes256gcm16-modp2048,aes128gcm16-modp1536! + +conn rw + left=PH_IP_MOON + leftfirewall=yes + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5481f7b72 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random nonce revocation openssl stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat new file mode 100644 index 000000000..972d93053 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf new file mode 100644 index 000000000..c3f38054b --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-aes-gcm/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol dave winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/tkm/host2host-initiator/description.txt b/testing/tests/tkm/host2host-initiator/description.txt new file mode 100644 index 000000000..467693b1e --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/description.txt @@ -0,0 +1,3 @@ +A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host +<b>moon</b> uses the Trusted Key Manager (TKM) and is the initiator of the +transport connection. The authentication is based on X.509 certificates. diff --git a/testing/tests/tkm/host2host-initiator/evaltest.dat b/testing/tests/tkm/host2host-initiator/evaltest.dat new file mode 100644 index 000000000..d8d44dff6 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/evaltest.dat @@ -0,0 +1,12 @@ +moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES +sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES +moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der Binary files differnew file mode 100644 index 000000000..97f0963f8 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/moonKey.der diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der Binary files differnew file mode 100644 index 000000000..a5a631f4b --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/strongswanCert.der diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 000000000..2619c0089 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,21 @@ +<tkmconfig> + <local_identity id="1"> + <identity>moon.strongswan.org</identity> + <certificate>moonCert.pem</certificate> + </local_identity> + <policy id="1"> + <mode>transport</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.1</ip> + </local> + <remote> + <identity>sun.strongswan.org</identity> + <ip>192.168.0.2</ip> + </remote> + <lifetime> + <soft>30</soft> + <hard>60</hard> + </lifetime> + </policy> +</tkmconfig> diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..4ad0aa7db --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + right=PH_IP_MOON + rightid=moon.strongswan.org + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + auto=add diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/tkm/host2host-initiator/posttest.dat b/testing/tests/tkm/host2host-initiator/posttest.dat new file mode 100644 index 000000000..34037bc23 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/posttest.dat @@ -0,0 +1,4 @@ +moon::DAEMON_NAME=charon-tkm ipsec stop +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log +sun::ipsec stop diff --git a/testing/tests/tkm/host2host-initiator/pretest.dat b/testing/tests/tkm/host2host-initiator/pretest.dat new file mode 100644 index 000000000..7cb90ac26 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/pretest.dat @@ -0,0 +1,10 @@ +moon::rm /etc/ipsec.secrets +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/ipsec.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::DAEMON_NAME=charon-tkm ipsec start +sun::ipsec start +sun::expect-connection host-host +moon::DAEMON_NAME=charon-tkm expect-connection conn1 +moon::DAEMON_NAME=charon-tkm ipsec up conn1 diff --git a/testing/tests/tkm/host2host-initiator/test.conf b/testing/tests/tkm/host2host-initiator/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tkm/host2host-responder/description.txt b/testing/tests/tkm/host2host-responder/description.txt new file mode 100644 index 000000000..72eabdb6c --- /dev/null +++ b/testing/tests/tkm/host2host-responder/description.txt @@ -0,0 +1,3 @@ +A connection between the hosts <b>moon</b> and <b>sun</b> is set up. The host +<b>moon</b> uses the Trusted Key Manager (TKM) and is the responder of the +transport connection. The authentication is based on X.509 certificates. diff --git a/testing/tests/tkm/host2host-responder/evaltest.dat b/testing/tests/tkm/host2host-responder/evaltest.dat new file mode 100644 index 000000000..d8d44dff6 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/evaltest.dat @@ -0,0 +1,12 @@ +moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES +sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES +moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der Binary files differnew file mode 100644 index 000000000..97f0963f8 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/moonKey.der diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der Binary files differnew file mode 100644 index 000000000..a5a631f4b --- /dev/null +++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/strongswanCert.der diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 000000000..2619c0089 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,21 @@ +<tkmconfig> + <local_identity id="1"> + <identity>moon.strongswan.org</identity> + <certificate>moonCert.pem</certificate> + </local_identity> + <policy id="1"> + <mode>transport</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.1</ip> + </local> + <remote> + <identity>sun.strongswan.org</identity> + <ip>192.168.0.2</ip> + </remote> + <lifetime> + <soft>30</soft> + <hard>60</hard> + </lifetime> + </policy> +</tkmconfig> diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..6681dad11 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + right=PH_IP_MOON + rightid=moon.strongswan.org + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + auto=add + type=transport diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/tkm/host2host-responder/posttest.dat b/testing/tests/tkm/host2host-responder/posttest.dat new file mode 100644 index 000000000..34037bc23 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/posttest.dat @@ -0,0 +1,4 @@ +moon::DAEMON_NAME=charon-tkm ipsec stop +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log +sun::ipsec stop diff --git a/testing/tests/tkm/host2host-responder/pretest.dat b/testing/tests/tkm/host2host-responder/pretest.dat new file mode 100644 index 000000000..40e84453f --- /dev/null +++ b/testing/tests/tkm/host2host-responder/pretest.dat @@ -0,0 +1,10 @@ +moon::rm /etc/ipsec.secrets +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/ipsec.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::DAEMON_NAME=charon-tkm ipsec start +sun::ipsec start +sun::expect-connection host-host +moon::DAEMON_NAME=charon-tkm expect-connection conn1 +sun::ipsec up host-host diff --git a/testing/tests/tkm/host2host-responder/test.conf b/testing/tests/tkm/host2host-responder/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tkm/host2host-xfrmproxy/description.txt b/testing/tests/tkm/host2host-xfrmproxy/description.txt new file mode 100644 index 000000000..b728a317d --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/description.txt @@ -0,0 +1,5 @@ +A transport connection between the hosts <b>moon</b> and <b>sun</b> is set up. +The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada XFRM +proxy, which relays XFRM kernel messages to charon. The authentication is based +on X.509 certificates. The connection is initiated by a ping from <b>moon</b> to +<b>sun</b>. diff --git a/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat new file mode 100644 index 000000000..7c8c6b24a --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/evaltest.dat @@ -0,0 +1,13 @@ +moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES +sun::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES +moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der Binary files differnew file mode 100644 index 000000000..97f0963f8 --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/moonKey.der diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der Binary files differnew file mode 100644 index 000000000..a5a631f4b --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 000000000..2619c0089 --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,21 @@ +<tkmconfig> + <local_identity id="1"> + <identity>moon.strongswan.org</identity> + <certificate>moonCert.pem</certificate> + </local_identity> + <policy id="1"> + <mode>transport</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.1</ip> + </local> + <remote> + <identity>sun.strongswan.org</identity> + <ip>192.168.0.2</ip> + </remote> + <lifetime> + <soft>30</soft> + <hard>60</hard> + </lifetime> + </policy> +</tkmconfig> diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..4ad0aa7db --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + right=PH_IP_MOON + rightid=moon.strongswan.org + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + auto=add diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..dc937641c --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/tkm/host2host-xfrmproxy/posttest.dat b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat new file mode 100644 index 000000000..99efe7b00 --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/posttest.dat @@ -0,0 +1,5 @@ +moon::DAEMON_NAME=charon-tkm ipsec stop +moon::killall xfrm_proxy +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log +sun::ipsec stop diff --git a/testing/tests/tkm/host2host-xfrmproxy/pretest.dat b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat new file mode 100644 index 000000000..d645ddbfe --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/pretest.dat @@ -0,0 +1,12 @@ +sun::ipsec start +moon::rm /etc/ipsec.secrets +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/ipsec.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::DAEMON_NAME=charon-tkm ipsec start +moon::expect-file /tmp/tkm.rpc.ees +moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & +moon::DAEMON_NAME=charon-tkm expect-connection conn1 +sun::expect-connection host-host +moon::ping -c 3 192.168.0.2 diff --git a/testing/tests/tkm/host2host-xfrmproxy/test.conf b/testing/tests/tkm/host2host-xfrmproxy/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tkm/multiple-clients/description.txt b/testing/tests/tkm/multiple-clients/description.txt new file mode 100644 index 000000000..c8e72d51d --- /dev/null +++ b/testing/tests/tkm/multiple-clients/description.txt @@ -0,0 +1,5 @@ +Two transport connections to gateway <b>sun</b> are set up, one from client +<b>carol</b> and the other from client <b>dave</b>. The gateway <b>sun</b> uses +the Trusted Key Manager (TKM) and is the responder for both connections. The +authentication is based on X.509 certificates. In order to test the connections, +both <b>carol</b> and <b>dave</b> ping gateway <b>sun</b>. diff --git a/testing/tests/tkm/multiple-clients/evaltest.dat b/testing/tests/tkm/multiple-clients/evaltest.dat new file mode 100644 index 000000000..8e0042102 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/evaltest.dat @@ -0,0 +1,23 @@ +sun::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*sun.strongswan.org.*carol.strongswan.org::YES +sun::ipsec stroke status 2> /dev/null::conn2.*ESTABLISHED.*sun.strongswan.org.*dave.strongswan.org::YES +carol::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*carol.strongswan.org.*sun.strongswan.org::YES +dave::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*dave.strongswan.org.*sun.strongswan.org::YES +sun::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TRANSPORT::YES +sun::ipsec stroke status 2> /dev/null::conn2.*INSTALLED, TRANSPORT::YES +carol::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +dave::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +carol::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +dave::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +carol::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES +carol::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > sun.strongswan.org: ESP::YES +dave::tcpdump::IP sun.strongswan.org > dave.strongswan.org: ESP::YES +sun::cat /tmp/tkm.log::RSA private key '/etc/tkm/sunKey.der' loaded::YES +sun::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.2 <-> 192.168.0.100 \]::YES +sun::cat /tmp/tkm.log::Adding policy \[ 2, 192.168.0.2 <-> 192.168.0.200 \]::YES +sun::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +sun::cat /tmp/tkm.log::Checked CA certificate of CC context 2::YES +sun::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +sun::cat /tmp/tkm.log::Authentication of ISA context 2 successful::YES +sun::cat /tmp/tkm.log::Adding SA \[ 1, 192.168.0.2 <-> 192.168.0.100, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +sun::cat /tmp/tkm.log::Adding SA \[ 2, 192.168.0.2 <-> 192.168.0.200, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..10ee3e89d --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn host-host + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_SUN + rightid=sun.strongswan.org + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + type=transport + auto=add diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..ca23c6971 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..6ba0a97ce --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn host-host + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + right=PH_IP_SUN + rightid=sun.strongswan.org + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + type=transport + auto=add diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..ca23c6971 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der Binary files differnew file mode 100644 index 000000000..a5a631f4b --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/strongswanCert.der diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der Binary files differnew file mode 100644 index 000000000..4c47db093 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/sunKey.der diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf new file mode 100644 index 000000000..216625e4c --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/sun/etc/tkm/tkm.conf @@ -0,0 +1,36 @@ +<tkmconfig> + <local_identity id="1"> + <identity>sun.strongswan.org</identity> + <certificate>sunCert.pem</certificate> + </local_identity> + <policy id="1"> + <mode>transport</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.2</ip> + </local> + <remote> + <identity>carol@strongswan.org</identity> + <ip>192.168.0.100</ip> + </remote> + <lifetime> + <soft>30</soft> + <hard>60</hard> + </lifetime> + </policy> + <policy id="2"> + <mode>transport</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.2</ip> + </local> + <remote> + <identity>dave@strongswan.org</identity> + <ip>192.168.0.200</ip> + </remote> + <lifetime> + <soft>30</soft> + <hard>60</hard> + </lifetime> + </policy> +</tkmconfig> diff --git a/testing/tests/tkm/multiple-clients/posttest.dat b/testing/tests/tkm/multiple-clients/posttest.dat new file mode 100644 index 000000000..9a4a9bc9d --- /dev/null +++ b/testing/tests/tkm/multiple-clients/posttest.dat @@ -0,0 +1,5 @@ +sun::DAEMON_NAME=charon-tkm ipsec stop +sun::killall tkm_keymanager +sun::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/tkm/multiple-clients/pretest.dat b/testing/tests/tkm/multiple-clients/pretest.dat new file mode 100644 index 000000000..ec83662f5 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/pretest.dat @@ -0,0 +1,14 @@ +sun::rm /etc/ipsec.secrets +sun::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +sun::cat /etc/ipsec.conf +sun::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/sunKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +sun::expect-file /tmp/tkm.rpc.ike +sun::DAEMON_NAME=charon-tkm ipsec start +carol::ipsec start +carol::expect-connection host-host +dave::ipsec start +dave::expect-connection host-host +sun::DAEMON_NAME=charon-tkm expect-connection conn1 +sun::DAEMON_NAME=charon-tkm expect-connection conn2 +carol::ipsec up host-host +dave::ipsec up host-host diff --git a/testing/tests/tkm/multiple-clients/test.conf b/testing/tests/tkm/multiple-clients/test.conf new file mode 100644 index 000000000..1dd36309d --- /dev/null +++ b/testing/tests/tkm/multiple-clients/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="carol dave sun winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="carol dave" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="carol dave sun" diff --git a/testing/tests/tkm/net2net-initiator/description.txt b/testing/tests/tkm/net2net-initiator/description.txt new file mode 100644 index 000000000..40f2a8013 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> +is set up. The host <b>moon</b> uses the Trusted Key Manager (TKM) and is the +initiator of the tunnel connection. The authentication is based on X.509 +certificates. In order to test the tunnel, client <b>alice</b> behind gateway +<b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/tkm/net2net-initiator/evaltest.dat b/testing/tests/tkm/net2net-initiator/evaltest.dat new file mode 100644 index 000000000..8d4794f0d --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/evaltest.dat @@ -0,0 +1,12 @@ +moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES +sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES +moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der Binary files differnew file mode 100644 index 000000000..97f0963f8 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/moonKey.der diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 000000000..717b0a6f4 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,23 @@ +<tkmconfig> + <local_identity id="1"> + <identity>moon.strongswan.org</identity> + <certificate>moonCert.pem</certificate> + </local_identity> + <policy id="1"> + <mode>tunnel</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.1</ip> + <net mask="16">10.1.0.0</net> + </local> + <remote> + <identity>sun.strongswan.org</identity> + <ip>192.168.0.2</ip> + <net mask="16">10.2.0.0</net> + </remote> + <lifetime> + <soft>30</soft> + <hard>60</hard> + </lifetime> + </policy> +</tkmconfig> diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..21b613d20 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + leftsubnet=10.2.0.0/16 + right=PH_IP_MOON + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + auto=add diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..94e0b2a62 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/tkm/net2net-initiator/posttest.dat b/testing/tests/tkm/net2net-initiator/posttest.dat new file mode 100644 index 000000000..34037bc23 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/posttest.dat @@ -0,0 +1,4 @@ +moon::DAEMON_NAME=charon-tkm ipsec stop +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log +sun::ipsec stop diff --git a/testing/tests/tkm/net2net-initiator/pretest.dat b/testing/tests/tkm/net2net-initiator/pretest.dat new file mode 100644 index 000000000..f84c8fcd2 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/pretest.dat @@ -0,0 +1,10 @@ +moon::rm /etc/ipsec.secrets +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/ipsec.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::DAEMON_NAME=charon-tkm ipsec start +sun::ipsec start +sun::expect-connection net-net +moon::DAEMON_NAME=charon-tkm expect-connection conn1 +moon::DAEMON_NAME=charon-tkm ipsec up conn1 diff --git a/testing/tests/tkm/net2net-initiator/test.conf b/testing/tests/tkm/net2net-initiator/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tkm/net2net-xfrmproxy/description.txt b/testing/tests/tkm/net2net-xfrmproxy/description.txt new file mode 100644 index 000000000..b42c89c52 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> +is set up. The host <b>moon</b> starts the Trusted Key Manager (TKM) and the Ada +XFRM proxy, which relays XFRM kernel messages to charon. The authentication is +based on X.509 certificates. In order to test the tunnel, client <b>alice</b> +behind gateway <b>moon</b> pings client <b>bob</b> located behind gateway +<b>sun</b>. diff --git a/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat new file mode 100644 index 000000000..a38dba0ee --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/evaltest.dat @@ -0,0 +1,13 @@ +moon::ipsec stroke status 2> /dev/null::conn1.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec stroke status 2> /dev/null::conn1.*INSTALLED, TUNNEL::YES +sun::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16 \]::YES +moon::cat /tmp/tkm.log::Checked CA certificate of CC context 1::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Adding SA \[ 1, 10.1.0.0/16 > 192.168.0.1 <=> 192.168.0.2 < 10.2.0.0/16, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/xfrm_proxy.log::Initiating ESA acquire for reqid 1::YES diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der Binary files differnew file mode 100644 index 000000000..97f0963f8 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/moonKey.der diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der Binary files differnew file mode 100644 index 000000000..a5a631f4b --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/strongswanCert.der diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 000000000..717b0a6f4 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,23 @@ +<tkmconfig> + <local_identity id="1"> + <identity>moon.strongswan.org</identity> + <certificate>moonCert.pem</certificate> + </local_identity> + <policy id="1"> + <mode>tunnel</mode> + <local> + <identity_id>1</identity_id> + <ip>192.168.0.1</ip> + <net mask="16">10.1.0.0</net> + </local> + <remote> + <identity>sun.strongswan.org</identity> + <ip>192.168.0.2</ip> + <net mask="16">10.2.0.0</net> + </remote> + <lifetime> + <soft>30</soft> + <hard>60</hard> + </lifetime> + </policy> +</tkmconfig> diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..21b613d20 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=sun.strongswan.org + leftsubnet=10.2.0.0/16 + right=PH_IP_MOON + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + ike=aes256-sha512-modp4096! + esp=aes256-sha512-modp4096! + auto=add diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..94e0b2a62 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/tkm/net2net-xfrmproxy/posttest.dat b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat new file mode 100644 index 000000000..24544307a --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/posttest.dat @@ -0,0 +1,4 @@ +moon::DAEMON_NAME=charon-tkm ipsec stop +moon::killall tkm_keymanager +moon::rm -f /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log /tmp/xfrm_proxy.log +sun::ipsec stop diff --git a/testing/tests/tkm/net2net-xfrmproxy/pretest.dat b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat new file mode 100644 index 000000000..4732a37f6 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/pretest.dat @@ -0,0 +1,12 @@ +sun::ipsec start +moon::rm /etc/ipsec.secrets +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /etc/ipsec.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/ipsec.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::DAEMON_NAME=charon-tkm ipsec start +moon::expect-file /tmp/tkm.rpc.ees +moon::xfrm_proxy >/tmp/xfrm_proxy.log 2>&1 & +moon::DAEMON_NAME=charon-tkm expect-connection conn1 +sun::expect-connection net-net +alice::ping -c 3 PH_IP_BOB diff --git a/testing/tests/tkm/net2net-xfrmproxy/test.conf b/testing/tests/tkm/net2net-xfrmproxy/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/tnc/tnccs-11-fhh/pretest.dat b/testing/tests/tnc/tnccs-11-fhh/pretest.dat index 997c70a8e..8fab1fb6c 100644 --- a/testing/tests/tnc/tnccs-11-fhh/pretest.dat +++ b/testing/tests/tnc/tnccs-11-fhh/pretest.dat @@ -6,9 +6,9 @@ carol::cat /etc/tnc_config dave::cat /etc/tnc_config carol::cat /etc/tnc/dummyimc.file dave::cat /etc/tnc/dummyimc.file -moon::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start -dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +moon::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +carol::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start +dave::LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat index c8f2139a8..96163aa36 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-block/pretest.dat @@ -6,8 +6,8 @@ alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd moon::ipsec start -carol::LEAK_DETECTIVE_DISABLE=1 ipsec start -dave::LEAK_DETECTIVE_DISABLE=1 ipsec start +carol::ipsec start +dave::ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-11-radius/pretest.dat b/testing/tests/tnc/tnccs-11-radius/pretest.dat index 8f79c776a..71dff71b7 100644 --- a/testing/tests/tnc/tnccs-11-radius/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius/pretest.dat @@ -8,8 +8,8 @@ alice::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config moon::ipsec start -carol::LEAK_DETECTIVE_DISABLE=1 ipsec start -dave::LEAK_DETECTIVE_DISABLE=1 ipsec start +carol::ipsec start +dave::ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-11/pretest.dat b/testing/tests/tnc/tnccs-11/pretest.dat index 7bfcf0d07..cac1cfafc 100644 --- a/testing/tests/tnc/tnccs-11/pretest.dat +++ b/testing/tests/tnc/tnccs-11/pretest.dat @@ -4,9 +4,9 @@ dave::iptables-restore < /etc/iptables.rules moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config -moon::LEAK_DETECTIVE_DISABLE=1 ipsec start -carol::LEAK_DETECTIVE_DISABLE=1 ipsec start -dave::LEAK_DETECTIVE_DISABLE=1 ipsec start +moon::ipsec start +carol::ipsec start +dave::ipsec start carol::sleep 1 carol::ipsec up home dave::ipsec up home diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat index e969774c5..f028ec609 100644 --- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat @@ -7,9 +7,11 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets index 96b9a8dd5..11d45cd14 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets @@ -2,5 +2,5 @@ : RSA aaaKey.pem -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf index e9152e0d8..59563730b 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf @@ -12,12 +12,12 @@ conn %default conn home left=PH_IP_CAROL - leftid=carol@strongswan.org leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey + eap_identity=carol aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets index 74942afda..23d79cf2e 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -carol@strongswan.org : EAP "Ar3etTnp" +carol : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf index 25589bcf1..8c27c78d2 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf @@ -12,12 +12,12 @@ conn %default conn home left=PH_IP_DAVE - leftid=dave@strongswan.org leftauth=eap leftfirewall=yes right=PH_IP_MOON rightid=@moon.strongswan.org rightsubnet=10.1.0.0/16 rightauth=pubkey + eap_identity=dave aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets index 5496df7ad..02e0c9963 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -dave@strongswan.org : EAP "W7R0g3do" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf index 294964fe7..02ada5665 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf @@ -28,6 +28,6 @@ conn rw-eap leftauth=pubkey leftfirewall=yes rightauth=eap-radius - rightid=*@strongswan.org rightsendcert=never right=%any + eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf index 15655daf2..d32951866 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown multiple_authentication=no plugins { eap-radius { diff --git a/testing/tests/tnc/tnccs-20-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-tls/evaltest.dat index bac7294b2..40d5e24d5 100644 --- a/testing/tests/tnc/tnccs-20-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-tls/evaltest.dat @@ -7,9 +7,9 @@ dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established:: dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES -moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES -moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf index e9b78bc01..eece9f294 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/ipsec.conf @@ -13,7 +13,6 @@ conn %default conn home left=PH_IP_CAROL leftcert=carolCert.pem - leftid=carol@strongswan.org leftauth=eap leftfirewall=yes right=PH_IP_MOON diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf index 75d84e25a..362042656 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/ipsec.conf @@ -13,7 +13,6 @@ conn %default conn home left=PH_IP_DAVE leftcert=daveCert.pem - leftid=dave@strongswan.org leftauth=eap leftfirewall=yes right=PH_IP_MOON diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf index 2ffc7e9ae..0ec930286 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/ipsec.conf @@ -29,6 +29,6 @@ conn rw-eap leftauth=eap-ttls leftfirewall=yes rightauth=eap-ttls - rightid=*@strongswan.org + rightid="C=CH, O=Linux strongSwan, OU=*, CN=*" rightsendcert=never right=%any |