diff options
Diffstat (limited to 'testing')
715 files changed, 20349 insertions, 0 deletions
diff --git a/testing/INSTALL b/testing/INSTALL new file mode 100644 index 000000000..dfe21cc04 --- /dev/null +++ b/testing/INSTALL @@ -0,0 +1,150 @@ + + ------------------------------- + strongSwan UML - Installation + ------------------------------- + + +Contents +-------- + + 1. Making the host system UML-capable + 2. Installing the required files + 3. Creating the UML testing environment + + +1. Making the host system UML-capable + ---------------------------------- + + UML instances can be run on both Linux 2.4 and Linux 2.6 kernels. + If you are using a vanilla kernel from kernel.org then you must first + apply the host SKAS patch available from + + http://www.user-mode-linux.org/~blaisorblade/patches/ + + and recompile and reboot your host kernel. Some Linux distributions as e.g. + SuSE already include the SKAS patch in their kernels. + + You will also need the UML utilities (uml_mconsole and uml_switch) + available from + + http://prdownloads.sourceforge.net/user-mode-linux/uml_utilities_20040406.tar.bz2 + + Many Linux distributions offer the UML utilities as a package. + + +2. Installing the required files + ----------------------------- + +First create a directory where you want the strongSwan UML testing environment +to be located.The default directory is "~/strongswan-testing". If you choose a +different location, please adapt the UMLTESTDIR variable in "testing.conf" +accordingly. + + mkdir ~/strongswan-testing + +Now copy the "testing" subdirectory coming with the strongSwan distribution to +the UML testing environment: + + cp -r testing ~/strongswan-testing + +Next you need to copy several files into the ~/strongswan-testing directory that +are required for the strongSwan testing environment: + + * A vanilla Linux kernel on which the UML kernel will be based on. + We recommend the use of + + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.16.9.tar.bz2 + + * Starting with Linux kernel 2.6.9 no patch must be applied any more in order + to make the vanilla kernel UML-capable. For older kernels you'll find + a matching UML patch at + + http://prdownloads.sourceforge.net/user-mode-linux/ + + * The matching .config file required to compile the UML kernel: + + http://download.strongswan.org/uml/.config-2.6.16 + + * A gentoo-based UML file system (compressed size 130 MBytes) found at + + http://download.strongswan.org/uml/gentoo-fs-20060330.tar.bz2 + + * The latest strongSwan distribution + + http://download.strongswan.org/strongswan-2.7.0.tar.gz + + +3. Creating the environment + ------------------------ + +Now change into the testing subdirectory + + cd ~/strongswan-testing/testing + +and make the UML testing environment: + + ./make-testing <hosts> + +The "make-testing" script calls a series of subscripts which can be +enabled or disabled individually by setting the corresponding flags +in "testing.conf": + + if [ $ENABLE_BUILD_UMLKERNEL = "yes" ] + then + scripts/build-umlkernel + fi + +builds an UML kernel out of the vanilla Linux kernel and the corresponding +UML kernel patch. + + if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ] + then + scripts/build-hostconfig + fi + +generates the default configurations for the UML hosts alice, venus, moon, +carol, winnetou, dave, sun, and bob by replacing the wildcards PH_IP_ALICE, +etc. by the actual IP addresses defined in "testing.conf". + + if [ $ENABLE_BUILD_UMLROOTFS = "yes" ] + then + scripts/build-umlrootfs + fi + +takes the gentoo-based UML file system and compiles the latest strongSwan +distribution into it. + + if [ $ENABLE_BUILD_SSHKEYS = "yes" ] + then + scripts/build-sshkeys + fi + +adds the common RSA public key of the UML instances to your ~/.ssh/known_hosts +directory so that you can log onto the UML instances using ssh without typing +in a password. The "scripts/build-sshkeys" script should only be run once. + + if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ] + then + scripts/build-umlhostfs <hosts> + fi + +creates the customized UML file systems for the instances given as command line +arguments by adding the default host configurations to the UML root file system. +If the "make-starting" scripts is called without any arguments then by default +the UML file systems are created for the hosts alice, venus, moon, carol, +winnetou, dave, sun, and bob. Each UML root file system has as size defined by +the ROOTFSSIZE in testing.conf which by default is 544 MBytes. Thus all 8 UML +hosts plus the master copy will require a total of 5 GBytes of disk space. + + if [ $ENABLE_START_TESTING = "yes" ] + then + ./start-testing <hosts> + fi + +starts the automated testing. More details on the tests you'll find in the +README document. + +----------------------------------------------------------------------------- + +This file is RCSID $Id: INSTALL,v 1.39 2006/04/24 16:58:03 as Exp $ + diff --git a/testing/README b/testing/README new file mode 100644 index 000000000..e1930a6e3 --- /dev/null +++ b/testing/README @@ -0,0 +1,160 @@ + + ------------------------------------ + strongSwan UML - Running the Tests + ------------------------------------ + + +Contents +-------- + + 1. Starting up the UML testing environment + 2. Running the automated tests + 3. Manual testing + + +1. Starting up the UML testing environment + --------------------------------------- + +When the strongSwan UML testing environment has been put into place by +running the "make-testing" script then you are ready to start up the +UML instances by calling + + ./start-testing <hosts> + +This main script first calls the subscript + + scripts/start-switches + +that starts the three UML switches umlswitch0, umlswitch1, and umlswitch2 +which are connecting the UML instances among each other and via tun/tap +devices also make them accessible from the host system. + +Then depending on the setting of the UMLSTARTMODE variable defined +in "testing.conf", the UML instances given on the command line are started +up with different terminals: + +If you are running the KDE graphical environment then by setting + + UMLSTARTMODE=konsole + +the script + + scripts/kstart-umls <hosts> + +is called which starts up each of the UML instances defined by <hosts> in +a KDE konsole. If + + UMLSTARTMODE=xterm + +is set then + + scripts/xstart-umls <hosts> + +starts up the UML instances in an xterm each. And with the choice + + UMLSTARTMODE=screen + +the instances are started up by + + scripts/start-umls <hosts> + +in the background but the Linux command "screen -r <host>" can be used to +connect a terminal to the UML instance <host> if desired. + + + if [ $ENABLE_DO_TESTS = "yes" ] + then + do-tests + fi + +either executes all the tests defined in the "testing/tests" directory +if the variable SELECTEDTESTSONLY in "testing.conf" is set to "no" or the +selected tests defined by the string in SELELECTEDTESTS if SELECTEDTESTSONLY +is set to "yes". + + if [ $ENABLE_STOP_TESTING = "yes" ] + then + stop-testing <hosts> + fi + +stops the both the UML switches and the UML instances designated by the +<hosts> argument. + + +2. Running the automated tests + --------------------------- + +The script + + ./do-tests <testnames> + +runs the automated tests. With an empty <testnames> argument the tests +as defined in "testing.conf" are executed, otherwise the tests enumerated +by the <testnames> argument will be run as shown in the example below. + + ./do-tests net2net-psk net2net-cert + +Each test is divided into the following phases: + + * scripts/load-testconfig <testname> + loads the UML hosts with test specific settings if such are provided. + + * next the "pretest.dat" script found in each test directory is executed. + Among other commands, strongSwan is started on the IPsec hosts. + + * the "evaltest.dat" script evaluates if the test has been successful. + + * the "posttest.dat" script terminates the test e.g. by stopping + strongSwan on the IPsec hosts. + + * scripts/restore-defaults <testname> + restores the default settings on the UML hosts. + +The test results and configuration settings for all tests settings are stored +in a folder labeled with the current date in the directory + + ~/strongswan-testing/testresults + +the same results are also automatically transferred to the Apache server +running on UML instance "winnetou" and can be accessed via the URL + + http://192.168.0.150/testresults/ + + +3. Manual testing + -------------- + +The greates flexibility can be achieved with manual testing. Just set + + ENABLE_DO_TESTS="no" + ENABLE_STOP_TESTING="no" + +in "testing.conf" and start the UML instances that you want to experiment with +by calling + + ./start-testing <hosts> + +If you want to preload a test scenario with configurations differing from +the default values, e.g. when using Preshared Keys then you can do this +with the command + + scripts/load-testconfig net2net-psk + +You can then log onto any UML instance using its konsole, xterm or screen +terminal as root with the default password + + tuxmux + +You can then execute any commands the UML instances, including changing +and recompiling the strongSwan source code located in the /root directory. + +After you have finished testing, the default configuration settings can +restored with the command + + scripts/restore-defaults net2net-psk + + +----------------------------------------------------------------------------- + +This file is RCSID $Id: README,v 1.2 2004/12/20 16:26:39 as Exp $ + diff --git a/testing/do-tests b/testing/do-tests new file mode 100755 index 000000000..ceddd72d8 --- /dev/null +++ b/testing/do-tests @@ -0,0 +1,458 @@ +#!/bin/bash +# Automatically execute the strongSwan test cases +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: do-tests,v 1.20 2006/02/08 21:27:59 as Exp $ + +DIR=`dirname $0` + +source $DIR/scripts/function.sh + +[ -f $DIR/testing.conf ] || die "Configuration file 'testing.conf' not found" +[ -d $DIR/hosts ] || die "Directory 'hosts' not found" +[ -d $DIR/tests ] || die "Directory 'tests' not found" + +source $DIR/testing.conf + + +############################################################################## +# test if UMLs have been built at all +# + +[ -d $BUILDDIR ] || die "Directory '$BUILDDIR' does not exist. Please run 'make-testing'first." + + +############################################################################## +# take care of new path and file variables +# + +[ -d $TESTRESULTSDIR ] || mkdir $TESTRESULTSDIR + +TESTDATE=`date +%Y%m%d-%H%M` + +TODAYDIR=$TESTRESULTSDIR/$TESTDATE +mkdir $TODAYDIR +TESTRESULTSHTML=$TODAYDIR/index.html +DEFAULTTESTSDIR=$UMLTESTDIR/testing/tests + +testnumber="0" +failed_cnt="0" +passed_cnt="0" + + +############################################################################## +# copy default tests to $BUILDDIR +# + +TESTSDIR=$BUILDDIR/tests +[ -d $TESTSDIR ] || mkdir $TESTSDIR +rm -rf $TESTSDIR/* +cp -rfp $DEFAULTTESTSDIR/* $TESTSDIR + + +############################################################################## +# assign IP for each host to hostname +# + +for host in $STRONGSWANHOSTS +do + eval ip_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`" + case $host in + moon) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + searchandreplace PH_IP_MOON $ip_moon $TESTSDIR + searchandreplace PH_IP1_MOON $ip1_moon $TESTSDIR + ;; + sun) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + searchandreplace PH_IP_SUN $ip_sun $TESTSDIR + searchandreplace PH_IP1_SUN $ip1_sun $TESTSDIR + ;; + alice) + searchandreplace PH_IP_ALICE $ip_alice $TESTSDIR + ;; + venus) + searchandreplace PH_IP_VENUS $ip_venus $TESTSDIR + ;; + bob) + searchandreplace PH_IP_BOB $ip_bob $TESTSDIR + ;; + carol) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + searchandreplace PH_IP_CAROL $ip_carol $TESTSDIR + searchandreplace PH_IP1_CAROL $ip1_carol $TESTSDIR + ;; + dave) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + searchandreplace PH_IP_DAVE $ip_dave $TESTSDIR + searchandreplace PH_IP1_DAVE $ip1_dave $TESTSDIR + ;; + winnetou) + searchandreplace PH_IP_WINNETOU $ip_winnetou $TESTSDIR + ;; + esac +done + + +############################################################################## +# create header for the results html file +# + +KERNEL_VERSION=`basename $KERNEL .tar.bz2` +IPSEC_VERSION=`basename $STRONGSWAN .tar.bz2` + +cat > $TESTRESULTSHTML <<@EOF +<html> +<head> + <title>strongSwan UML Testing</title> +</head> +<body> + <h2>strongSwan UML Testing</h2> + <table border="0" cellspacing="2"> + <tr><td><b>Host:</b></td><td>`uname -a`</td></tr> + <tr><td><b>UML kernel: </b></td><td>$KERNEL_VERSION</td></tr> + <tr><td><b>IPsec:</b></td><td>$IPSEC_VERSION</td></tr> + <tr><td><b>Date:</b></td><td>$TESTDATE</td></tr> + </table> + <p> + <table border="0" width="500"> + <thead align="left"><th>Number</th><th>Test</th><th>Result</th></thead> +@EOF + +cecho "UML kernel: $KERNEL_VERSION" +cecho "IPsec: $IPSEC_VERSION" +cecho "Date: $TESTDATE" +cecho "" + + +############################################################################## +# enter specific test directory +# + +if [ $# -gt 0 ] +then + TESTS=$* +elif [ $SELECTEDTESTSONLY = "yes" ] +then + # set internal field seperator + TESTS=$SELECTEDTESTS +else + # set internal field seperator + TESTS="`ls $TESTSDIR`" +fi + +for testname in $TESTS +do + let "testnumber += 1" + cecho-n " $testnumber $testname.." + + if [ ! -d $TESTSDIR/${testname} ] + then + cecho "is missing..skipped" + continue + fi + + [ -f $TESTSDIR/${testname}/description.txt ] || die "!! File 'description.txt' is missing" + [ -f $TESTSDIR/${testname}/test.conf ] || die "!! File 'test.conf' is missing" + [ -f $TESTSDIR/${testname}/pretest.dat ] || die "!! File 'pretest.dat' is missing" + [ -f $TESTSDIR/${testname}/posttest.dat ] || die "!! File 'posttest.dat' is missing" + [ -f $TESTSDIR/${testname}/evaltest.dat ] || die "!! File 'evaltest.dat' is missing" + + TESTRESULTDIR=$TODAYDIR/$testname + mkdir $TESTRESULTDIR + CONSOLE_LOG=$TESTRESULTDIR/console.log + touch $CONSOLE_LOG + + + ########################################################################## + # copy test specific configurations to uml hosts and clear auth.log files + # + + $DIR/scripts/load-testconfig $testname + source $TESTSDIR/$testname/test.conf + + + ########################################################################## + # run tcpdump in the background + # + + if [ "$TCPDUMPHOSTS" != "" ] + then + echo -e "TCPDUMP\n" >> $CONSOLE_LOG 2>&1 + + for host_iface in $TCPDUMPHOSTS + do + host=`echo $host_iface | awk -F ":" '{print $1}'` + iface=`echo $host_iface | awk -F ":" '{if ($2 != "") { print $2 } else { printf("eth0") }}'` + tcpdump_cmd="tcpdump -i $iface not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &" + echo "${host}# $tcpdump_cmd" >> $CONSOLE_LOG + ssh root@`eval echo \\\$ip_$host '$tcpdump_cmd'` + eval TDUP_${host}="true" + done + fi + + ########################################################################## + # execute pre-test commands + # + + cecho-n "pre.." + echo -e "\nPRE-TEST\n" >> $CONSOLE_LOG 2>&1 + + eval `awk -F "::" '{ + if ($2 != "") + { + printf("echo \"%s# %s\"; ", $1, $2) + printf("ssh root@\044ip_%s \"%s\"; ", $1, $2) + printf("echo;\n") + } + }' $TESTSDIR/${testname}/pretest.dat` >> $CONSOLE_LOG 2>&1 + + + ########################################################################## + # stop tcpdump + # + + function stop_tcpdump { + echo "${1}# killall tcpdump" >> $CONSOLE_LOG + eval ssh root@\$ip_${1} killall tcpdump + eval TDUP_${1}="false" + echo "" + } + + + ########################################################################## + # get and evaluate test results + # + + cecho-n "test.." + echo -e "\nTEST\n" >> $CONSOLE_LOG 2>&1 + + STATUS="passed" + + eval `awk -F "::" '{ + host=$1 + command=$2 + pattern=$3 + hit=$4 + if (command != "") + { + if (command == "tcpdump") + { + printf("if [ \044TDUP_%s == \"true\" ]; then stop_tcpdump %s; fi; \n", host, host) + printf("echo \"%s# cat /tmp/tcpdump.log | grep \047%s\047 [%s]\"; ", host, pattern, hit) + printf("ssh root@\044ip_%s cat /tmp/tcpdump.log | grep \"%s\"; ", host, pattern) + } + else + { + printf("echo \"%s# %s | grep \047%s\047 [%s]\"; ", host, command, pattern, hit) + printf("ssh root@\044ip_%s %s | grep \"%s\"; ", host, command, pattern) + } + printf("cmd_exit=\044?; ") + printf("echo; ") + printf("if [ \044cmd_exit -eq 0 -a \"%s\" = \"NO\" ] ", hit) + printf("|| [ \044cmd_exit -ne 0 -a \"%s\" = \"YES\" ] ", hit) + printf("; then STATUS=\"failed\"; fi; \n") + + } + }' $TESTSDIR/${testname}/evaltest.dat` >> $CONSOLE_LOG 2>&1 + + + ########################################################################## + # set counters + # + + if [ $STATUS = "failed" ] + then + let "failed_cnt += 1" + else + let "passed_cnt += 1" + fi + + + ########################################################################## + # log statusall and listall output + # get copies of ipsec.conf, ipsec.secrets + # create index.html for the given test case + + cat > $TESTRESULTDIR/index.html <<@EOF +<html> +<head> + <title>Test $testname</title> +</head> +<body> +<table border="0" width="600"> + <tr><td> + <h2>Test $testname</h2> + <h3>Description</h3> +@EOF + + cat $TESTSDIR/${testname}/description.txt >> $TESTRESULTDIR/index.html + + cat >> $TESTRESULTDIR/index.html <<@EOF + <ul> + <li><a href="console.log">console.log</a></li> + </ul> + <img src="../images/$DIAGRAM" alt="$UMLHOSTS"> +@EOF + + + for host in $IPSECHOSTS + do + eval HOSTLOGIN=root@\$ip_${host} + + for command in statusall listall + do + ssh $HOSTLOGIN ipsec $command \ + > $TESTRESULTDIR/${host}.$command 2>/dev/null + done + + for file in ipsec.conf ipsec.secrets + do + scp $HOSTLOGIN:/etc/$file \ + $TESTRESULTDIR/${host}.$file > /dev/null 2>&1 + done + + cat >> $TESTRESULTDIR/index.html <<@EOF + <h3>$host</h3> + <ul> + <li><a href="$host.ipsec.conf">ipsec.conf</a></li> + <li><a href="$host.ipsec.secrets">ipsec.secrets</a></li> + <li><a href="$host.statusall">ipsec statusall</a></li> + <li><a href="$host.listall">ipsec listall</a></li> + <li><a href="$host.auth.log">auth.log</a></li> + </ul> +@EOF + + done + + cat >> $TESTRESULTDIR/index.html <<@EOF + </td></tr> + <tr><td align="right"> + <b><a href="../index.html">Back</a></b> + </td></tr> +</table> +</body> +</html> +@EOF + + + ########################################################################## + # execute post-test commands + # + + cecho-n "post.." + echo -e "\nPOST-TEST\n" >> $CONSOLE_LOG 2>&1 + + eval `awk -F "::" '{ + if ($2 != "") + { + printf("echo \"%s# %s\"; ", $1, $2) + printf("ssh root@\044ip_%s \"%s\"; ", $1, $2) + printf("echo;\n") + } + }' $TESTSDIR/${testname}/posttest.dat` >> $CONSOLE_LOG 2>&1 + + + ########################################################################## + # get a copy of /var/log/auth.log + # + + for host in $IPSECHOSTS + do + eval HOSTLOGIN=root@\$ip_${host} + ssh $HOSTLOGIN grep pluto /var/log/auth.log \ + > $TESTRESULTDIR/${host}.auth.log + done + + + ########################################################################## + # stop tcpdump if necessary + # + + for host in $TCPDUMPHOSTS + do + if [ "`eval echo \\\$TDUP_${host}`" = "true" ] + then + echo "${host}# killall tcpdump" >> $CONSOLE_LOG + eval ssh root@\$ip_$host killall tcpdump + eval TDUP_${host}="false" + fi + done + + + ########################################################################## + # copy default host config back if necessary + # + + $DIR/scripts/restore-defaults $testname + + + ########################################################################## + # write test status to html file + # + + cecho "$STATUS" + if [ $STATUS = "passed" ] + then + COLOR="green" + else + COLOR="red" + fi + + cat >> $TESTRESULTSHTML << @EOF + <tr> + <td>$testnumber</td> + <td><a href="$testname/">$testname</a></td> + <td><a href="$testname/console.log"><font color="$COLOR">$STATUS</font></a></td> + </tr> +@EOF + +done + + +############################################################################## +# finish the results html file +# + +cat >> $TESTRESULTSHTML << @EOF + </table> + <p> + <b>Passed: $passed_cnt</b><br> + <b>Failed: $failed_cnt</b><br> + <p> +</body> +</html> +@EOF + +cecho "" +cecho "Passed: $passed_cnt" +cecho "Failed: $failed_cnt" +cecho "" + + +############################################################################## +# copy the test results to the apache server +# + +HTDOCS="/var/www/localhost/htdocs" + +cecho-n "Copying test results to winnetou.." +ssh root@${ip_winnetou} mkdir -p $HTDOCS/testresults > /dev/null 2>&1 +scp -r $TODAYDIR root@${ip_winnetou}:$HTDOCS/testresults > /dev/null 2>&1 +ssh root@${ip_winnetou} ln -s $HTDOCS/images $HTDOCS/testresults/$TESTDATE/images > /dev/null 2>&1 +cecho "done" +cecho "" +cecho "The results are available in $TODAYDIR" +cecho "or via the link http://$ip_winnetou/testresults/$TESTDATE" diff --git a/testing/hosts/alice/etc/conf.d/hostname b/testing/hosts/alice/etc/conf.d/hostname new file mode 100644 index 000000000..2012e0451 --- /dev/null +++ b/testing/hosts/alice/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=alice diff --git a/testing/hosts/alice/etc/conf.d/net b/testing/hosts/alice/etc/conf.d/net new file mode 100644 index 000000000..3070a46b1 --- /dev/null +++ b/testing/hosts/alice/etc/conf.d/net @@ -0,0 +1,11 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_ALICE broadcast 10.1.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/PH_IP1_MOON" + diff --git a/testing/hosts/alice/etc/init.d/iptables b/testing/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..1097ac5a4 --- /dev/null +++ b/testing/hosts/alice/etc/init.d/iptables @@ -0,0 +1,74 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/alice/etc/init.d/net.eth0 b/testing/hosts/alice/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/alice/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/alice/etc/ipsec.conf b/testing/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..d6cdbba7b --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem new file mode 100644 index 000000000..e99ae8ec7 --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.d/certs/aliceCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer +GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 +FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W +6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH +v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc +KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa +60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG +A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 +cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo +2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ +AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 +D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S +CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi +6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re +JGhV +-----END CERTIFICATE----- diff --git a/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem new file mode 100644 index 000000000..045ef0405 --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.d/private/aliceKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEArsXK+QTXz+i6MJpN3wZcE04f4K+jLSJsnyPaw2wGt6sZLWWD +FGzzNpV8r1+ixp27RRl5Ygew4qR7Dnjr2w++QorZIYYf6m77H7E7++5oQbgWWQC7 +yIYVYtDJwu3oEl9yrDsVPyvA24PXxdcFeY/uFFq+L9MQSVtVgds7uWbxPlbqFOv+ +xh12JIHtf39trskHLqXGYFxQDHluOKIctpb+WV5+SrKFzp3Dme89nYNyG8e/8da8 +sX1uy/FsGQdTT/P8ISxG4wEjsQ8QvivHdSqa4JQCqIwlNLcisNoiV8k4tZwqVuyc +TqEenCa32gMH2JYFj1Z5lRIC0kYXDhvsUJm9DQIDAQABAoIBAEsjnnARNPeeBu5+ +aJxKD6v9Gpdu66ir9Cc3MwZxmzG7zcdGrWRKswX0nvaHF2Rsy+aZXSZYSCQosv81 +3bEAw7u4FkHjeDVCIZUujatyhEA89N6vAgzkGK2zNgsoXW4IuzRw8mGGXhQCSvIz +z5bD2ofFu560D3x6V/jMWJENQQqbfWuD27OI+bZp92K2DGM6MoSbdNnd886F2oWR +4pQfrwoxmSm7JFFARoe4t6pZPy4G+5jjnrhB3kblxONaV297nvSby9Ctfke7oOkM +A3JpzNzEmrjjb2M8GKkYmbm6P+0ARdYIToD0sFpbRCdjJAKLadwNNnk2kijxPvQh +HNHGy8ECgYEA2uD922oiNaIvBR+rJ/zRsJg7Dth+upGePiieOZdS0S/dZUFEXuK7 +PdLZOcelQP2fIFRdODLEpkkOii292Ej3zixgzu9QYSfCdhcOoeV+RiAC7XEBBMqc +gFI1DdL91KGSmMNZ+B8yocA31pwQQsVFDUpvgqpA8fxsZkRI9oVSiOsCgYEAzGna +At/Kk9AQfiM7fpjBygYUt1ZErHsPJhLPVXmqx7+FuB2+RQvTMBS4sRdG6yC4Kd1y +CNIo83Yzv2IQGyNOCcGr60OPeqzTSQ6AUn7VxMY5EJZ880nfXBud7mj+CbyFi48V +Sh2qziF18aUYm7z4eJCTpLlFjPzHcoU1ORM0U+cCgYEAzCWp4Kp/OdMJVBgThXpz +AekavGAE43LKS2OLIGAZqG6iaryTToTe62zrms6xPYrQjlDhmXcQn5/oZc0AEukL +6ErQCHKBX/y7jXU3+pyYSEO3N0t9DcEEc1M5lKlEgrwohT8/fQNsMB2edxacvApO +u3S/yPmPFaTAXio2e2gicP0CgYEAp3PjM02PDu14RUypdTjAL7YxjErwcPdSXpc0 +H8pOm9mKOlyrPLbGJ3IiJnhyETW5iBovS4iWIXNoStSTaxfN2vI72rt6sz0WzJdD +idD7X3oezzboXwjaIANDqkV6LhGwuLXa898/yCLjErRzZ0kzptiRCnT3w9pjrK3w +/rN7v2sCgYAEwfgrwjb7+JUaSSaf6TlbM9/ZuTRBVN0OTQz2JVhokeAePeFjHzXt +nzJI2ETYlIu6e1VaFzHb6dp84PzWfLV7Kk8hZqJeCQN4RmQ04oNBllWoOZPbN7oa +8pAMk/DCsBxcM/GvnDQJlDVLQRyY64zJU8EI0rF1t+zosIyGtXom/A== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/alice/etc/ipsec.secrets b/testing/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..5837fc7d7 --- /dev/null +++ b/testing/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,9 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aliceKey.pem + + + + + + diff --git a/testing/hosts/alice/etc/runlevels/default/net.eth0 b/testing/hosts/alice/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/alice/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/bob/etc/conf.d/hostname b/testing/hosts/bob/etc/conf.d/hostname new file mode 100644 index 000000000..bbf5a2ea6 --- /dev/null +++ b/testing/hosts/bob/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=bob diff --git a/testing/hosts/bob/etc/conf.d/net b/testing/hosts/bob/etc/conf.d/net new file mode 100644 index 000000000..09133acad --- /dev/null +++ b/testing/hosts/bob/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_BOB broadcast 10.2.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/PH_IP1_SUN" diff --git a/testing/hosts/bob/etc/init.d/iptables b/testing/hosts/bob/etc/init.d/iptables new file mode 100755 index 000000000..7b8756b81 --- /dev/null +++ b/testing/hosts/bob/etc/init.d/iptables @@ -0,0 +1,74 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow IKE + iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/bob/etc/init.d/net.eth0 b/testing/hosts/bob/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/bob/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/bob/etc/ipsec.conf b/testing/hosts/bob/etc/ipsec.conf new file mode 100755 index 000000000..cdef4e042 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftfirewall=yes + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem new file mode 100644 index 000000000..199d3eee2 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/certs/bobCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY +27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB +fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg +xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF +ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E +5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl ++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u +b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv +c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z +TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq +0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI +5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN +NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw +7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE +Mto= +-----END CERTIFICATE----- diff --git a/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem new file mode 100644 index 000000000..42af98bb0 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.d/private/bobKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwCWno0t/5SX0B4MNJ876LYEkEvHsv+rb28e7OUbFmNu8fSuc +XeOGj67z9kKcqt+CF0WOrj5SKnlE0DexCqS61gsTDk9+seTdAqPSeVFkQXyQteNQ +/vPtUcCff22hCHnKQr29Bnwzl9BlzeZbXCZPNoWYxOMtchwtRTe1d83UYMZpaLqT +7qJ/l9205sjEPdzSpIOPAkBrarX8ENDKj4jlrvDAYXc7XzsrumltxIL4hYrYS3NN +knjc5aagdzPBg31/pq9zlQ4YYQtjiPlUZWc8+ysSddw1EdipLy2UfAJOBOZUY5FJ +02Hf39zkGMX4wvInVJo+aI0ehW9MdbbFf4Jc1wIDAQABAoIBAGbSP5jUiAYZfzKd +4GZTDfFXz/QLXcN9bFV51ihaRNb9jyn0MmLTpGgzGP3Iu4l8vWKyqB154AI2jqpV +gvnNGOX9Wx8nTwbnD5WgELs24M1iWRXcJLWp1m8PAsrv4WJlueRpIEPeJsWwkSnT +gUQYg/8LEqsZXnJXvanym7sWe/Wkh8i/UyMQJv7zwS+TZ5qeKRfSVo8/9622Ppsh +n+zKFKnTUhiICUHFed4qZWyVR6NVyuzIYjeQy+VmBa5AOzmF549Izg6llwNrvJ8g +DiIKSdtblMrN5OlmTra8LGn2QmlETipRb+4qx+MasbVI8pM1VMMQtBGAJYjhpC51 +rX/RLLECgYEA/Qk9PlUfw2aTA7I6a93pcjhUFTnKFVe9RdrwY7mds5t7dOAPcRBj +5wnIv+OhVszoEo/uOPrgWmBu3ifkmcpPTe4NREFEVA99NOadiJDI/7oAj/Is4c5t +CEb/zHTqKtYMVDrjwhszuPD3m2KNIJ38y4gkkrWT071xQBciztWhvYUCgYEAwmXV +DFoNagTrNhf7Ep5sUek0O3nXPXY/cYKnKhlloUP41ftLbNvZ02qBQ6zqxPHtjGlB +5sPeRQMFbVbmyb+97oa3Mrui1TPiTa5IBPyD36Gg0nFx+xLeXTsy8O8leoFcq02D +1SDSye+fEdj2uYr+f33CIknQHUR4/xkOikgSQasCgYEAzTjOHBzsGw25VLkbmtqr +eIDo6SIqnS7BCsPsTeWAWuhSs9L5kyjI7dxIniEffIfJ/SwQ+NO4XHRz1ugiBv1H +Xpwg1Gfe5BJ/6QTVZaqP6qBPzm+LKUTDt3/l/Uwhk8Zwz2vHx2lKhMei+rpuXbLl +EaoEh5yPHZ87F9Dr4Tbw7AUCgYAjtFpmE2AlWdPtsofdypUwkjmStvUuh7ptWcbk +N5fv/7EDdE1NKDAg4Y3uZSMVmy27PVXqUY1QdZaYl356DaqP1dRuEAJ/UDE/fUQj +DlIWT/Re0pFRwQxwaUAY+oOStZHUsL8G9SliB43a1FO0jm/h8LIoZBBCX+ItUGfY +RBZ+UwKBgCToB2oPwDfrfCkScNozV7GPfcmHTR5bvvpYgRMGyuE1hAwLIWW9V4u9 +1Bp1vCR/C4kiUSBpYsGXLRqJ1GURueQoEbREE4ZvkmNV+t40uX3Fd8/OchAGi934 +0jYmd3dvN4MtF7O02YwpBzuH/wAwdxK0iDbdv+KEZb7TLdL37IN1 +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/bob/etc/ipsec.secrets b/testing/hosts/bob/etc/ipsec.secrets new file mode 100644 index 000000000..b3a0af048 --- /dev/null +++ b/testing/hosts/bob/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA bobKey.pem + + + + + diff --git a/testing/hosts/bob/etc/runlevels/default/net.eth0 b/testing/hosts/bob/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/bob/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/carol/etc/conf.d/hostname b/testing/hosts/carol/etc/conf.d/hostname new file mode 100644 index 000000000..d5101b924 --- /dev/null +++ b/testing/hosts/carol/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=carol diff --git a/testing/hosts/carol/etc/conf.d/net b/testing/hosts/carol/etc/conf.d/net new file mode 100644 index 000000000..39470ad14 --- /dev/null +++ b/testing/hosts/carol/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_CAROL broadcast 192.168.0.255 netmask 255.255.255.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/carol/etc/init.d/iptables b/testing/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..cd7ba23ff --- /dev/null +++ b/testing/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/carol/etc/init.d/net.eth0 b/testing/hosts/carol/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/carol/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/carol/etc/ipsec.conf b/testing/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..3228f4e16 --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..8492fbd45 --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX +T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl +vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii +S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW +LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM +YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD +j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI +U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM +2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE +HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd +hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG +C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK +omBYfxqp +-----END CERTIFICATE----- diff --git a/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..0522355ce --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuBuEkgQI4IbI0njTrS6f/AG4noxCO2ErkIAQ+BdP+W9nKehL +GF+5bmB4MILFB6zp1k95vrAlLgXl8feomgsz5nifXetmUITLIwGRwWW8rRo0Vj4B +GzSbtqtRfwHs9+L03pYdNiA7hel4EcsmtlDP0BTRXdLStx79ZW5WOKJL9wmGuBKL +uuXztCjWNg4D0/ToFlAuPR0U1xZasakqn+Fe8EXU5I/1vXmOyAyUIJYsmpeYtUoO +0qAM8sllHX2YguGBwe9rHEPtytov0ZHhCZYtvSbzigAgjBrD7SelkkxgMwx5h461 +x6kJYKZHL5eaypxa7iu00K7TlbVGxeNhkQoGNwIDAQABAoIBAQCnhwq8H4XAYYWN +17quJPYZR6uqQfDmvYX5yD8osXXpgNC8Fo92z2wZnxje86+8S0DA7bLXrMs4NM/H +vVcjTTxd5LcHrHN+o0eBRCVQeXYVgfnL3EH/coCa2Qugaa0q589wV+Ke5Pek5AyJ +DHXegmyHaNoW6Qcq8L0dtigpAq3jTLG5w/3QCo8DMDKOGNR3AJrFpDlS/gW3JXuL +Tn+PUojoWO9W6joDGYDTi4eeYyfZSajzwZvzecEpez3vwKN0pupvHA6BJCR8Mzkq +5EYIH0hvWLtBy8uiWRXTfu/ggoQI9/Z5hBWIQk71m23uMIBbkm+oDn/1fLSBcWfK +cr9RyM+RAoGBANpWewy7xCbkRV/90bgBNkTZ9HeFsFsWOgFVyB1XwM2E/nOqdRJc +rxFt5Qt63DaXB+2REn231EIrsIz/Xd+R9KDl+yZOCY/m/mL4oquTPurEGJPzZdgW +X3kUOFW1pbfcMcmzSp1FPufI17JPiePtUb/q3C4RAjCKlnskHftEyK1pAoGBANfd +eEN8UzoV/R3WsGNDNOecMdIVAX9aiGnkLLraP7CRZ1heCH5y+RV1RB98yppkJG31 +fw5F8a6GoomkMHWGqhzDzQacZQV8w7C6rDY0Bk5TF5vemvJTGlrydwodfMvcJj8Y +KZrS7A0iS3GAAmM6VGr3THyscszfJTq0NwE3v4KfAoGAY7L1wVzENxYpb6nRZ/p1 +s37rGODdJNrDZfSrympVygMexeZiSx4zevv5iQJzKCJTJnIGRY35yLV2iwvY68wU +LpyV0Gn2B9Xs93idn0c/hahBqN2N9dxRgFJxXwHxSEGuInJScfo6vVCC3hNf3cpy +d/Zg0FBH9a5zBIv7fM9t63ECgYAosrSt5I68cNDcA1IWJOGgmS47cYJqxGLbtA1K +3UMMwx08592qGXsktIs3dIuuOBs2MAbYZg9+3Btg3/fS8KS576CEEpBpTHCIrWky +fvSBZ+EXngyQi2J4qyYOXijdNpBvbNrLOeEPSNv4di39D05DLITbLJgoUBnwy3Fj +ZWNR+QKBgEKn19f5QWs/O1DPWBXfvCSc01cuSUx20a6Z3B6Lxj+7MuXBjVxPkGge +kEaZnNzwgm+QQ1C51nIn9gY4LZx7OxMy0idEss76aRq4Lb7I6XakBrCQLQ9IiTkv +gNOeJYGsQv7tkIWWRlBIXjSBGwT6HzTEfN5cvdHSDzARGFGjwYfK +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/carol/etc/ipsec.secrets b/testing/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..797f18a01 --- /dev/null +++ b/testing/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem + + + + diff --git a/testing/hosts/carol/etc/runlevels/default/net.eth0 b/testing/hosts/carol/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/carol/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/dave/etc/conf.d/hostname b/testing/hosts/dave/etc/conf.d/hostname new file mode 100644 index 000000000..c3fabf331 --- /dev/null +++ b/testing/hosts/dave/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=dave diff --git a/testing/hosts/dave/etc/conf.d/net b/testing/hosts/dave/etc/conf.d/net new file mode 100644 index 000000000..db3753fb0 --- /dev/null +++ b/testing/hosts/dave/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_DAVE broadcast 192.168.0.255 netmask 255.255.255.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/dave/etc/init.d/iptables b/testing/hosts/dave/etc/init.d/iptables new file mode 100755 index 000000000..cd7ba23ff --- /dev/null +++ b/testing/hosts/dave/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/dave/etc/init.d/net.eth0 b/testing/hosts/dave/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/dave/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/dave/etc/ipsec.conf b/testing/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..76623491c --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..abd1554e5 --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 +bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx +2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2 +LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE +RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF +UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/ +98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB +ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq ++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy +8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9 +Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR +P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV +UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt +0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT +5qILUTmI +-----END CERTIFICATE----- diff --git a/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..1cbaa183f --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxmwplGOop4q+9f+kVnm3oHC1E5g0sUaqUTjQ8diEVBLhEuRC +nO6rI0c+OV6Ko4ssAkEY2Ft931BBGOq+35x5O9AslJ1nmcq+7+A/9i4wTd7JgxOv +2Wa88T8fsaYZVIoGDhf77eIFIltXTmea3J8Rvfnja0i+oFjTYNYrhEX5Uk25h1ek +1ZhlNjxnXShmel36ln3QPuojotvqMqsOmh+LuIX14ScjEThDoS3QBVL81PVIsxF0 +qrJhDkqHUvb8qVSUWE22XMe9HvUO4NjIIR77UGOplYAcwMGpAwQrf/fJQJSg3l1z +kKj3KgGUnNlYxvIBJpK9XbpvMLCcPAtpYihkRQIDAQABAoIBAQCQP7nKotjNVFSX +Sg4Sv9H61XUOlaxY5GKVQZTE/P7WkBMIROEYbXoE35og4tYvJtILoX+KapkLa7Cn +iKDSt1J7ZU/DitryNy6v/HsDYXjEY55jqEBC8CmTyKwl3fa0OtNEE7OWsKXC4FyM +J02x7gJb9fqa1/udXnXtBEYGl0g1x/vDmuhLgKyq6eliTm/orAyjGK2KfRxu06eS +YUZObr25wC7yDLHCBsWHGNVC7ZyxQoxcPOu9WNwlWYu92ZJMdf3+rIgZSeXxCn3U +3CWAC9tL1HnKC/twbyWEc2Gy0lZaQSgTJzaRtKOlqBTc5Szb4l1ibmyeAA7NanXK +wnUYfiZRAoGBAOWW0+4lzZhWOxK/cYwM5+eoI66MhPECFVK2sL8iC34BKGFRCrSd +YS/nugWiAu30knIBrw8z9BN0gYEfiE/EZyP5TbjtabKDN28xQa1+bw9Sr+5g5TcR +HFvZRkJWSYGoIuVO22eXUh+1hwx3KZP/UX6pwkrc2dxQLxNk0mo/BexPAoGBAN0/ +geik9GNIjbKwSPLvIIwcmO4TZja2RJy9NCTJOrJZFpCII6HvOiO0eYx3+So+KblG +n4AUxrhi4jq1/mAA+VUt4B9ywKH8xzGwhno78dJ1lvydpuzXSTHOEgsWh9Kme05P +syt/t1C0ZkWqOKsBGk1f7dU9IOWuOkpVUbbMX10rAoGBALp0S5lUyiu1nDQVljmP +IadZPeE77ZttfbO2+sO++mZSumCOWItmZM9q+gApGwf1YBmGlI1cPBSwwZwD58gg +UUM97IkLBpQbTKHY9uXXkIp5NLf7qSuXkdhmFFE7kmbiDbT83eK7Wc62tf7Bp9qx +t5WOeGQkCCqMVC8D6n6uwDixAoGABV4jErfdzgLWnT01p98xVPTkqPIDitRFOeBF +QZc4O1d5+quy4ZziNjeMs2G9w86aSIp0GDFo2NRdVLtRnpande+U/m5UShnN42C7 +AoAtz8NWlG5mvFxExFaRjX9QcEXlu/KnECkbE3Qs/wewNEXkk3f+VywSfkAJ3f/P +6bVvot0CgYBA1B9SXYhclR3KNZJPRuTn9OQ/TqLmcCMN62dIhPW4WZo2ixZH3YdS +PE/bYmYfZUPt7MnOSNSnuLKineIf1Dipz0gjuSyFGAs5DE+N+8GWYo00n+0e3TLL +pcBj4nOdIVPTZ31IFeVbi06dCYmzLPAGDeLe1M1Z7fakNky1Wv+Sdg== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/dave/etc/ipsec.secrets b/testing/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..3fa796491 --- /dev/null +++ b/testing/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem + + + + diff --git a/testing/hosts/dave/etc/runlevels/default/net.eth0 b/testing/hosts/dave/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/dave/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts new file mode 100644 index 000000000..b8bc8da66 --- /dev/null +++ b/testing/hosts/default/etc/hosts @@ -0,0 +1,34 @@ +# /etc/hosts: This file describes a number of hostname-to-address +# mappings for the TCP/IP subsystem. It is mostly +# used at boot time, when no name servers are running. +# On small systems, this file can be used instead of a +# "named" name server. Just add the names, addresses +# and any aliases to this file... +# + +127.0.0.1 localhost + +192.168.0.254 uml0.strongswan.org uml0 +10.1.0.254 uml1.strongswan.org uml1 +10.2.0.254 uml1.strongswan.org uml2 + +PH_IP_ALICE alice.strongswan.org alice +PH_IP_VENUS venus.strongswan.org venus +PH_IP1_MOON moon1.strongswan.org moon1 +PH_IP_MOON moon.strongswan.org moon +PH_IP_CAROL carol.strongswan.org carol +PH_IP1_CAROL carol1.strongswan.org carol1 +PH_IP_WINNETOU winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org +PH_IP_DAVE dave.strongswan.org dave +PH_IP1_DAVE dave1.strongswan.org dave1 +PH_IP_SUN sun.strongswan.org sun +PH_IP1_SUN sun1.strongswan.org sun1 +PH_IP_BOB bob.strongswan.org bob + +# IPV6 versions of localhost and co +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts diff --git a/testing/hosts/moon/etc/conf.d/hostname b/testing/hosts/moon/etc/conf.d/hostname new file mode 100644 index 000000000..78e695337 --- /dev/null +++ b/testing/hosts/moon/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=moon diff --git a/testing/hosts/moon/etc/conf.d/net b/testing/hosts/moon/etc/conf.d/net new file mode 100644 index 000000000..7dec60ba5 --- /dev/null +++ b/testing/hosts/moon/etc/conf.d/net @@ -0,0 +1,11 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_MOON broadcast 192.168.0.255 netmask 255.255.255.0" +iface_eth1="PH_IP1_MOON broadcast 10.1.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/moon/etc/init.d/iptables b/testing/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..7f46267c2 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/moon/etc/init.d/net.eth0 b/testing/hosts/moon/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/init.d/net.eth1 b/testing/hosts/moon/etc/init.d/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/init.d/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/ipsec.conf b/testing/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a0e97e057 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.1.0.0/16 + right=192.168.0.2 + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=192.168.0.2 + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem new file mode 100644 index 000000000..d8fbfa1c9 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/certs/moonCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv +ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F +f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD +v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+ +9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U +esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX +Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g +LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G +CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec +tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW +EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h +wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K +iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW +kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp +-----END CERTIFICATE----- diff --git a/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem new file mode 100644 index 000000000..89197a447 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.d/private/moonKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAr64uEJrApxtDe28anlGU0IXJmf4sjeEbJh8BbIjnNOsaZ2ex +W8fYM4vzrMFOihi/hX/T37zmN+mw02VPFdkGi99EUFF89yZRvo1Mj/c46pYbL1WE +v3CJr6oKN7lJENGAg79kmn05WkHwTmjxRJTRD/x9mEosgel/NCHB7DjGKbJFaj2P +O/ORXoYxfqcbskQivvR15nfolnZwtPbuKoCkWty9CGplN6tfwSv2n5BytiACDeGI +DOxs3qR1Q9H+xMX/VHrCRHoeIQ2cEo3DM3cm62PVwccxqixjzhddvI6/ucHlGYgV +vkc3gcP4LCtZ0j3rlzndpTyY0xo/uld2CuqomwIDAQABAoIBAECAVQ1npCA2lFo3 +erByB49f75sIhVc6NPuUGrO8uBbn0vPwUGAASdLzKW5eMvXlDDx5qFLXSjdxJ6kV +4ymEWzDzsmNC5/zeJtkti9S30j/fCPAiF/Ep4oOKjOHUt4zjPqoglVFbdLk8yHwh +b6Pcd73E2GAXq6uvDTMYydhvJ+KaozAfbXmQ9vf3HbneI6xmgAug209Cu+gpMspW +4IunMMY/668neRmM7jh+4JNLMqJhCrmQpLkIlRux2yNFzxkF8RrqptGzaLf4KxNF +rRRUThHUfWmB/EvggzJgUMuVA2Pa0bKNvBbbQuwPqXMxLHMGBjvJ8wimsLzJZeXL +fgsyPKECgYEA5x//2cmlKL3LbprRpfSzVOPqM3OSeEqseQtPun9Gs7WNVZZVc/ZJ +O2hjdc9qDGjak3lDSwVbYl8B1kqfGTTLB1sl2171aDJQOWdNV3WQtexUKEhC4Ewn +yXEDoVGAXJtiCj34QYHjoMEHUqfabKyWKUcaK8hbMsOhYPOorfLXg9MCgYEAwpaP +W68NJGu5Zxsdz62rOiPNb58cuoxLDZsJ1sMKJO7BdPIqTZ0oGNdgt5phyc3ROBSH +cjqZdzpim1gXGm4ocGvwg3APNQN6DLBknJNZmHzPd7RLSz2UxhTHRTfHAltQPcmW +cJVBHsrsS0QnvDndXfzLuLq12S6UZasR5eBdcxkCgYEAizBuOI6DdGG4nceG8lbH +mRwY8xtq3h66d7skLMBxp9ByaVS76bYsrCZVn6Fl0EtlNuMUb52uRzPIO3F9FwUA +MFHoHpC1YibKwYdAwKcAm07T7950x/eVDm+NLB2VHDBHfruLQogiubEF4/VKSaA2 +Xm1/iVaD9bJzAZw7vWY9/BkCgYB/Xe9uErGmgkB0BaLIuiNWxfKFOn+id4v01uNk +yHtOW10TgCNCdDi3sdpjs1CIuAhXDdDuav7itLuwdMOCkFI16+EdF29Mwv7TaW4h +sq01i5R9BO03zZIg6Z7ZZr4Dg+OM3fNzs65RSn/KcE0V/kYwa/So8MVw5/VIauYn +MmnYmQKBgDEFWQPyPH242olRqtE0yDp8qVHEjJp7mU822YFbyCyAUnttqOS+/5/u +Z7H95QZHGaQESL1tcNnaiRASJAKDWjKOdM/TTotWjCn65v+DHvgk/IJeYJVHoGBS +pBE+wJ8AZJu3t9GVp3PxFxHIjxUrEKG0rli7bYv8F245+Wx8DeXI +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/moon/etc/ipsec.secrets b/testing/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..c90b4c4a3 --- /dev/null +++ b/testing/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + + + + diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth0 b/testing/hosts/moon/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/moon/etc/runlevels/default/net.eth1 b/testing/hosts/moon/etc/runlevels/default/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/moon/etc/runlevels/default/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/ssh_host_rsa_key.pub b/testing/hosts/ssh_host_rsa_key.pub new file mode 100644 index 000000000..a5f71de4e --- /dev/null +++ b/testing/hosts/ssh_host_rsa_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAsxKfTm05po6leGD8C+M0eAR5EE4s1pQXc0D/dVlqrmfZ65h5BFQY9lnwpCvapV6OVqKWx8ICmeIH3OhaPxPPNKlU81f3d0xgh8BRJpWh459DYkRVa5f7ax5eeFE1lelj9s1d0seUl/IZolpJ8Wmt9TN1hwJ0mrkwN4670rb3urc= diff --git a/testing/hosts/sun/etc/conf.d/hostname b/testing/hosts/sun/etc/conf.d/hostname new file mode 100644 index 000000000..bc042b68b --- /dev/null +++ b/testing/hosts/sun/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=sun diff --git a/testing/hosts/sun/etc/conf.d/net b/testing/hosts/sun/etc/conf.d/net new file mode 100644 index 000000000..0f8dc57b1 --- /dev/null +++ b/testing/hosts/sun/etc/conf.d/net @@ -0,0 +1,13 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_SUN broadcast 192.168.0.255 netmask 255.255.255.0" +iface_eth1="PH_IP1_SUN broadcast 10.2.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" + + diff --git a/testing/hosts/sun/etc/init.d/iptables b/testing/hosts/sun/etc/init.d/iptables new file mode 100755 index 000000000..aeaf472fb --- /dev/null +++ b/testing/hosts/sun/etc/init.d/iptables @@ -0,0 +1,80 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/sun/etc/init.d/net.eth0 b/testing/hosts/sun/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/sun/etc/init.d/net.eth1 b/testing/hosts/sun/etc/init.d/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/init.d/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/sun/etc/ipsec.conf b/testing/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..4d0299a08 --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.2.0.0/16 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + +conn host-host + right=PH_IP_MOON + rightid=@moon.strongswan.org + auto=add + +conn nat-t + leftsubnet=10.2.0.0/16 + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem new file mode 100644 index 000000000..e7825e3db --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.d/certs/sunCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 +foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS +Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC +AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe +zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n +HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G +N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg +KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq +hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i +ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP +Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S +5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE +JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk +Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== +-----END CERTIFICATE----- diff --git a/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem new file mode 100644 index 000000000..de63615a6 --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.d/private/sunKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA5Dx+gH2HkFn3aADkmRBMk26gXoUDOir3UaHtOjbv+DvinTX5 +JSexJoF8+Y18anhq91ITDLZ1YwD/u6PQNt7wwQqyw3O2nQlC5unazufyautAsayo +HpgBLT2XvlcONLfKpMIC0fWQPjMCX+P8DJ5AG4tHgLIkSYL+uoPf9r6mvjYJqWO4 +UGAFGkJNSlTiaWyVlJ7O/3C7rU/BMXFvxUOUEdR3+XCRdOEqBTe4SFZHEtqGlKV0 +QaaJNObHfST9ds4wXacc5sQe3kRj25ZEYZuPzVlFaI2TR021umd5Qe/8291Ytzn3 +UzxwQYRB1ZbZdNVsvYY3ruryF3MaAi9vtAk8xwIDAQABAoIBACOnh6OO+KSGSW4H +5a47q5rEh2z8nnpxx90KzMJxXp+Ky2X/zoINZ1E6nUlm3u7LDPrB6ZPs1P24ZDrt +5lMMFNQzVaXO59I0Zi0ojzQPbAFj6uFWtZTB7j0hCBmGBAQcSh3e6Q3frL7qvQ45 +0WAvQJiM84iZS63oNt7wRwaG1gmUn/k6j34y4qUkD5FfzGhFkekzDS54bRGwjhTA +7XBUPAcsdNoIPcihokgLXwcdA8l6LBGsk48HN7O+CYOdh4xb6oQ4msgPED3pDIMo +QRptqcPQ6y1qJaiM/D8SvdX2ZTFm/bh2jlGvcm5sWG8VdSDRqq9r0YCi4KlQzA1g +OAyrMeECgYEA9dAVEegvRrFm4V6hC9CAwyS6fiOqx/l0xd354Xv4V6vR6n6rKwDF +kv96A4sMH+mdNf6MwzFFCNW9zZV7noEIvAyPAc7jM7t/Hmt5M41DiDe0RJpWKEdQ +lEj2qd8FqcY4YVDEH/TdchwIvoWHlD2sykW7eoseCY5mYEoQN4Ciwj8CgYEA7bHv +qdaz2SoG9lyj8Mz7XthjYZLeaxKu7cpqP5bqzuRSkVFvib0WKoJfwsewzO5hCHnf +8yMD3Wp4Ap2FYoN2XfV/jQyHvlpMlkxv+bU39/HLosdhzKbOJsru9kbBCaARHAVi +av3O3JfV2/G+cwR6nPCNjcTsIcqtEpUO7kOfU3kCgYAKYNmy4tm0I2NTmpo0FH6L +Pq69CqZ4QPkELaYSNhi7It7/BpAVhbfRyAWPxrwhUMy5beDlkNv4ToXv+yK4A3yp +6+HR0rlXAtCQKTt5yLoUMz3iM531n2UwjZAUhf0IOP1CZpWRP9ZlrfdUi/C4eo4k +ECOlPeBryN5brGTY4w58IwKBgQC0ukRF2I+qoP/mNg4Yu2KtfM4jlG4072G+P9eF +PhSO9p+pCkhKbFD8RWDWUsslJmL09OXIkmkP4zIYmvieLOLFEjLHZi2YGER/SuMg +9B74EQsKW5sK5hF9AXOsIaQI04Hu0lFAlHbC11euAiMShOdNiMG4d3ArSVVK+bb+ +hsAP0QKBgHcJuTJ6dv77evW3MFZPRjFH25pike40PWmSLgCt5PV25DRL2UG0pOut +uybN9biQK5v377/3GD7eOL+acxHODjWmmfeEFW0YlJ1oUb/P8NlqsSnHvUoIqa24 +JmTXS/XzjgxQFFfzo0c1/1JLdG6r5CLTWxHq1EhIOJsowTlrCzX/ +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/sun/etc/ipsec.secrets b/testing/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..1095b74cc --- /dev/null +++ b/testing/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.pem + + + + + diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth0 b/testing/hosts/sun/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/sun/etc/runlevels/default/net.eth1 b/testing/hosts/sun/etc/runlevels/default/net.eth1 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/sun/etc/runlevels/default/net.eth1 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/venus/etc/conf.d/hostname b/testing/hosts/venus/etc/conf.d/hostname new file mode 100644 index 000000000..c9e3dd1d4 --- /dev/null +++ b/testing/hosts/venus/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=venus diff --git a/testing/hosts/venus/etc/conf.d/net b/testing/hosts/venus/etc/conf.d/net new file mode 100644 index 000000000..2c55c2c20 --- /dev/null +++ b/testing/hosts/venus/etc/conf.d/net @@ -0,0 +1,11 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_VENUS broadcast 10.1.255.255 netmask 255.255.0.0" + +# For setting the default gateway +# +gateway="eth0/PH_IP1_MOON" + diff --git a/testing/hosts/venus/etc/init.d/iptables b/testing/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..1097ac5a4 --- /dev/null +++ b/testing/hosts/venus/etc/init.d/iptables @@ -0,0 +1,74 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow NAT-T + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/hosts/venus/etc/init.d/net.eth0 b/testing/hosts/venus/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/venus/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/venus/etc/ipsec.conf b/testing/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..35f264f82 --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.d/cacerts/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem new file mode 100644 index 000000000..25a6941b0 --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.d/certs/venusCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz +LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy +Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ +thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON +FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H +wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/ +nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E +BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA +FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE +ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB +ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw +LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww +DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN +rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX +PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B +fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid +hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh +wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA= +-----END CERTIFICATE----- diff --git a/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem new file mode 100644 index 000000000..6c4aff0ad --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.d/private/venusKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAmlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFC +dhoDg6cxrsIvPAWyGs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3s +DdvZFbyfmQTWSEyJthrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHO +jpVNHn3BPUiL99ONFiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iO +vRGtJa/MfOWX6L/HwquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjy +Gxw1lORlDQlZy2w/nu0BAbXS1pb/2AiF8jDpbQIDAQABAoIBAFyVMMvn9YzGmeCq +e5MD9Dt30kPyAffu/stFwc5yOTfC8OHijhBzwq/0WWXRsKx9bj+PaZjGWWIE6PVU +u6ymvDdcBj7w6pM/ZY2siZ6uzUpXiy32G+qkfTMBGW2e7T4qTGMm8tuy69jmtn+u +SxXunYaXckfOATu8GxWhoP1dvKMbCrlQxxmduP04au8HhpLTQgDZ28PrvyqUR6AW +D+PDGACLbCFzmaMLgv6yv2+GNQpBEDr/VUjOOBvzZhUm9ku81dSdYNhHx8vbT/DG +GkERG9tE2PA51sWB5cUh13ZItWmbW/NoWiykxJb7J7VkjXAn57jw4suSbNEQnA/E +bg/5WwECgYEAyqEWS7cUCLheHuyWHOxkL7ACoko4wS8QO3Q4ohPlqZb7pca7FIqU +WzXEUcyYZPkKTAKx/Vd0Xv6raGImi1QluuwLULACvZ7Ei5uLsMxUCJKyLX7wunTb +64aH8jONNMAXX4K9eVj7EghBGjdnVc4HRAzm/QyH8F6hmXGT7Ulw3JECgYEAwvpU +AkrUGb5UgVG/tNtlOlCqVGyvWOITDEsxLPCTlC6Ls6EIYKvc/21oRNL7n/ssfvS/ +DbyVTatiCXaF/MDbx0msbxJbq3sGTY16/XMb1PeTRdQm4xsUEQB1Fi3MnhLmPzV1 +jdKSKvKoxTfZKUg9eP/aVs4abRyHsIXc7BRznR0CgYBB86qBHGa969xerlyxr1Nw +nhZNYmEUp8/duhdQ0a8XwtfHfmaX6f8drONoSHJ1swVh9iKetd9fp/58bC3lfY8G +RxvruE48D7gjRI50Dh1v6OdrnXyXA8As6c3HzHWybK9u2+v12jtmBB/Ee7H7oKKG +yLhKNtDsMLDic7BVNGkysQKBgHjzr0+oucCqiGOcoc8A1uABEFjE/1WlEOnsbzoQ +l4wx/6nT+I13r+WoKimftEZ/GxA6pZZQ6VHAQlXad63eubf75QMWIVXUQIm1fZli +Yd6QIoUL4X+62YzeesPib2+UC88kS6NKADCyTa3iQk3QqYm5Nenpew06yJXhxLWS +zlGlAoGACEbPUlQB+ouInOFyVcFf1kHsMBcmg54MVi2J6x95149rq5FlY5kbmZcs +6wlSBkAzzKb7WbPNgbGLMAYP+EXKODe+f1nzP+oojmJlCdTLfrudREFA2ZGGOKDX +0o2EhnGL7VB4Upuw5ddMs7s1v6pqUKQXrZQUb24AX8w/1n+0PEM= +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/venus/etc/ipsec.secrets b/testing/hosts/venus/etc/ipsec.secrets new file mode 100644 index 000000000..11f3aa4ca --- /dev/null +++ b/testing/hosts/venus/etc/ipsec.secrets @@ -0,0 +1,8 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA venusKey.pem + + + + + diff --git a/testing/hosts/venus/etc/runlevels/default/net.eth0 b/testing/hosts/venus/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/venus/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt new file mode 100644 index 000000000..956c217d9 --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l +dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ +F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa +r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26 +sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk +wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H +AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV +HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm +MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290 +IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud +HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh +bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG +6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw +p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc +yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln +JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw +4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key new file mode 100644 index 000000000..727027188 --- /dev/null +++ b/testing/hosts/winnetou/etc/apache2/conf/ssl/server.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqX +uh16Ahe3S5vZF56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/ +u7BlyqpBUtLar14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRB +K2gQGBUULo26sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqV +jlKyqG7vdggkwW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3Mu +OP3FNHIRMd2HAcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABAoIBACYiWrCgl8B/c4Lz +Uay4Tlm8hvQ/zQJjY3v93EXwbB21hBV8qrYlt9zGfHqj+5q2vsbB9c0pzdO2VDba +EWueS2fUIWhglEG5VCebrztNCldx2O7jo9bMk8iBt+oLNaJunSK7ACeYHHGcE7dF +KZh1eyd7z4+SMBWZqmhO5ZisasQoHCusVGepcyyMGQNkc3XKJ6resGAsOqrOoq7Q +C4vO5Kkbnk8nnEGmQ/ldD8LwIyq1hzVLDiiqWXZgh6S5l4BEo7Dy3KYrZoZfVcZK +GMVhAI2+uA1ZqY9twpwryT6VZ3eK4DXF/COQntiBW5pLOpaqTOnKqiVmZFwfbo3u +cq8n5jkCgYEA5zgzRLifbM0q34c2HX8pTegh+BH7MGCxtcoU2uRPaXiGkqQObHI9 +aItrgUQp+pAmKSBnEWJKgKsOh2Uf5ogjIeNuruGG/AXw/Pw2ORHNueenhDuhu69T +E2I4yxT3PPYbdzJ4ylBElfgm9WTrv7Wi7wSSfgQ6rEFdWukXa5vvsqMCgYEA1K+q +m1Jv9MGVIVc6MxhuOOj2Ym+qcWt/Pjvg78rR8SRsKwHlGTuv1rdWUSXYDr3f2Nf7 +6DdbJtaSx5f8gY/UG34yGZx5FFbYV03vcCYBaLXsi/b6H7vb/VW74Y5g6bXqnprv +4mcdVU7xfyNFgdbLPAP9sYVLijPYDwm0Qq3cz/8CgYBKSJz4BBR8AQI4JBl3qoXb +mKtpJmW76iTN0amXlWgJ64XYkMptftpJvxj/w6V08WDBL77NL/XdlpcpWozAJJac +6ZOCrcQPLd15eZH2Dck5Y7pG2l2gjbgz7wdt/0NbG3pBdj6mSNlwEPR7PDwdMD6z +aZWi1LsA4lMaxO4YTVXZ3wKBgQCoFhTNH/+e/YawjNFQJFSn4WUnMn0Pmhc7xfLl +T/NPkqtx6dN3d7ZmCQrMow33yJOqOje5tFXzgc0KtNE4S8Uj3T4XA5SlQGVFyjAa +/85JRM2naA8RGVSpCCKuBeoNilnb8zL2SOvjyboN8oAyNuDzk2vh6ihjFsoASHkP +4XwLXQKBgQC0k6rzt/plIwEiP56XXOqwOxJj6kuE/hx1zGIiGT6lWiOsih20Ym2T +kYegVFvuDIWmSIAxGONWyee1lfnJbEuaHRixWQTnHUpqrU0FSnZTubnR3q/faZat +hrvLDdpa0ydAKoMEn3qUPSrh3CdBfi3KTQAQn2Mlk7bGHh9ICWi3vA== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/conf.d/apache2 b/testing/hosts/winnetou/etc/conf.d/apache2 new file mode 100644 index 000000000..cfb80a7d9 --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/apache2 @@ -0,0 +1,52 @@ +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/conf.d/apache2,v 1.2 2006/01/06 12:21:21 as Exp $ + +# Config file for /etc/init.d/apache2 + +# An example from /etc/apache2/conf/modules.d/40_mod_ssl.conf: +# +# <IfDefine SSL> +# <IfModule !mod_ssl.c> +# LoadModule ssl_module extramodules/mod_ssl.so +# </IfModule> +# </IfDefine> +# +# This means that the mod_ssl.so DSO module is only loaded +# into the server when you pass "-D SSL" at startup. To +# enable WebDAV, add "-D DAV -D DAV_FS". If you installed +# mod_php then add "-D PHP4". For more options, please +# read the files in the /etc/apache2/conf/modules.d directory. + +APACHE2_OPTS="-D SSL -D DEFAULT_VHOST" + +# Extended options for advanced uses of Apache ONLY +# You don't need to edit these unless you are doing crazy Apache stuff +# As not having them set correctly, or feeding in an incorrect configuration +# via them will result in Apache failing to start +# YOU HAVE BEEN WARNED. + +# ServerRoot setting +#SERVERROOT=/etc/apache2 + +# Configuration file location +# - If this does NOT start with a '/', then it is treated relative to +# $SERVERROOT by Apache +#CONFIGFILE=conf/apache2.conf + +# Location to log startup errors to +# They are normally dumped to your terminal. +#STARTUPERRORLOG="/var/log/apache2/startuperror.log" + +# PID file location +# Note that this MUST match the setting in your configuration file! +PIDFILE=/var/run/apache2.pid + +# Restart style +# see http://httpd.apache.org/docs-2.0/stopping.html for more details +# the default is 'graceful', the other possible value is 'restart' +# If you use 'graceful', completion of the command does NOT imply that the system +# has finished restarting. Restart is finished only when all child processes +# have finished serving their current request sets. Read the URL for details. +#RESTARTSTYLE="restart" +RESTARTSTYLE="graceful" diff --git a/testing/hosts/winnetou/etc/conf.d/hostname b/testing/hosts/winnetou/etc/conf.d/hostname new file mode 100644 index 000000000..1bfa5acbd --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/hostname @@ -0,0 +1 @@ +HOSTNAME=winnetou diff --git a/testing/hosts/winnetou/etc/conf.d/net b/testing/hosts/winnetou/etc/conf.d/net new file mode 100644 index 000000000..1a32153f3 --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/net @@ -0,0 +1,10 @@ +# /etc/conf.d/net: + +# This is basically the ifconfig argument without the ifconfig $iface +# +iface_lo="127.0.0.1 netmask 255.0.0.0" +iface_eth0="PH_IP_WINNETOU broadcast 192.168.0.255 netmask 255.255.255.0" + +# For setting the default gateway +# +gateway="eth0/192.168.0.254" diff --git a/testing/hosts/winnetou/etc/conf.d/slapd b/testing/hosts/winnetou/etc/conf.d/slapd new file mode 100644 index 000000000..8d9ac4787 --- /dev/null +++ b/testing/hosts/winnetou/etc/conf.d/slapd @@ -0,0 +1,8 @@ +# conf.d file for the openldap-2.1 series +# +# To enable both the standard unciphered server and the ssl encrypted +# one uncomment this line or set any other server starting options +# you may desire. +# +# OPTS="-h 'ldaps:// ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'" +OPTS="-4" diff --git a/testing/hosts/winnetou/etc/hostname b/testing/hosts/winnetou/etc/hostname new file mode 100644 index 000000000..6338c7c73 --- /dev/null +++ b/testing/hosts/winnetou/etc/hostname @@ -0,0 +1 @@ +winnetou diff --git a/testing/hosts/winnetou/etc/init.d/apache2 b/testing/hosts/winnetou/etc/init.d/apache2 new file mode 100755 index 000000000..f54f3444a --- /dev/null +++ b/testing/hosts/winnetou/etc/init.d/apache2 @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="${opts} reload" + +[ "x${SERVERROOT}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}" +[ "x${CONFIGFILE}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}" +[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}" +# set a default for PIDFILE/RESTARTSTYLE for those that FAILED to follow +# instructiosn and update the conf.d/apache2 file. +# (bug #38787) +[ -z "${PIDFILE}" ] && PIDFILE=/var/run/apache2.pid +[ -z "${RESTARTSTYLE}" ] && RESTARTSTYLE="graceful" + +checkconfig() { + local myconf="/etc/apache2/conf/apache2.conf" + if [ "x${CONFIGFILE}" != "x" ]; then + if [ ${CONFIGFILE:0:1} = "/" ]; then + myconf="${CONFIGFILE}" + else + myconf="${SERVERROOT:-/usr/lib/apache2}/${CONFIGFILE}" + fi + fi + if [ ! -r "${myconf}" ]; then + eerror "Unable to read configuration file: ${myconf}" + return 1 + fi + if [ -z "${PIDFILE}" ]; then + eerror "\$PIDFILE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + if [ -z "${RESTARTSTYLE}" ]; then + eerror "\$RESTARTSTYLE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + /usr/sbin/apache2 -t ${APACHE2_OPTS} 1>/dev/null 2>&1 + ret=$? + if [ $ret -ne 0 ]; then + eerror "Apache2 has detected a syntax error in your configuration files:" + /usr/sbin/apache2 -t ${APACHE2_OPTS} + fi + return $ret +} + +depend() { + need net + use mysql dns logger netmount postgres + after sshd +} + +start() { + checkconfig || return 1 + ebegin "Starting apache2" + [ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache + [ -f /usr/lib/apache2/build/envvars ] && . /usr/lib/apache2/build/envvars + env -i PATH=$PATH /sbin/start-stop-daemon --quiet \ + --start --startas /usr/sbin/apache2 \ + --pidfile ${PIDFILE} -- -k start ${APACHE2_OPTS} + eend $? +} + +stop() { + ebegin "Stopping apache2" + /usr/sbin/apache2ctl stop >/dev/null + start-stop-daemon -o --quiet --stop --pidfile ${PIDFILE} + eend $? +} + +reload() { + # restarting apache2 is much easier than apache1. The server handles most of the work for us. + # see http://httpd.apache.org/docs-2.0/stopping.html for more details + ebegin "Restarting apache2" + /usr/sbin/apache2 ${APACHE2_OPTS} -k ${RESTARTSTYLE} + eend $? +} diff --git a/testing/hosts/winnetou/etc/init.d/net.eth0 b/testing/hosts/winnetou/etc/init.d/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/winnetou/etc/init.d/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/hosts/winnetou/etc/init.d/slapd b/testing/hosts/winnetou/etc/init.d/slapd new file mode 100755 index 000000000..d4c070b33 --- /dev/null +++ b/testing/hosts/winnetou/etc/init.d/slapd @@ -0,0 +1,25 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/strongswan/testing/hosts/winnetou/etc/init.d/slapd,v 1.2 2005/05/31 14:04:43 as Exp $ + +depend() { + need net +} + +start() { + ebegin "Starting ldap-server" + eval start-stop-daemon --start --quiet --pidfile /var/run/openldap/slapd.pid --exec /usr/lib/openldap/slapd -- -u ldap -g ldap "${OPTS}" + eend $? + if [ ! -e /var/lib/openldap-data/objectClass.bdb ] + then + sleep 5 + ldapadd -x -D "cn=Manager, o=Linux strongSwan, c=CH" -w tuxmux -f /etc/openldap/ldif.txt + fi +} + +stop() { + ebegin "Stopping ldap-server" + start-stop-daemon --stop --signal 2 --quiet --pidfile /var/run/openldap/slapd.pid + eend $? +} diff --git a/testing/hosts/winnetou/etc/openldap/ldif.txt b/testing/hosts/winnetou/etc/openldap/ldif.txt new file mode 100644 index 000000000..3eca4d6c6 --- /dev/null +++ b/testing/hosts/winnetou/etc/openldap/ldif.txt @@ -0,0 +1,40 @@ +dn: o=Linux strongSwan, c=CH +objectclass: organization +o: Linux strongSwan + +dn: cn=Manager,o=Linux strongSwan, c=CH +objectclass: organizationalRole +cn: Manager + +dn: cn=strongSwan Root CA, o=Linux strongSwan, c=CH +objectClass: organizationalRole +cn: strongSwan Root CA +objectClass: certificationAuthority +authorityRevocationList;binary:< file:///etc/openssl/strongswan.crl +certificateRevocationList;binary:< file:///etc/openssl/strongswan.crl +cACertificate;binary:< file:///etc/openssl/strongswanCert.der + +dn: ou=Research, o=Linux strongSwan, c=CH +objectclass: organizationalUnit +ou: Research + +dn: cn=Research CA, ou=Research, o=Linux strongSwan, c=CH +objectClass: organizationalRole +cn: Research CA +objectClass: certificationAuthority +authorityRevocationList;binary:< file:///etc/openssl/research/research.crl +certificateRevocationList;binary:< file:///etc/openssl/research/research.crl +cACertificate;binary:< file:///etc/openssl/research/researchCert.der + +dn: ou=Sales, o=Linux strongSwan, c=CH +objectclass: organizationalUnit +ou: Sales + +dn: cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH +objectClass: organizationalRole +cn: Sales CA +objectClass: certificationAuthority +authorityRevocationList;binary:< file:///etc/openssl/sales/sales.crl +certificateRevocationList;binary:< file:///etc/openssl/sales/sales.crl +cACertificate;binary:< file:///etc/openssl/sales/salesCert.der + diff --git a/testing/hosts/winnetou/etc/openldap/slapd.conf b/testing/hosts/winnetou/etc/openldap/slapd.conf new file mode 100644 index 000000000..4558ee2e2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openldap/slapd.conf @@ -0,0 +1,68 @@ +# +# See slapd.conf(5) for details on configuration options. +# This file should NOT be world readable. +# +include /etc/openldap/schema/core.schema + +# Define global ACLs to disable default read access. + +# Do not enable referrals until AFTER you have a working directory +# service AND an understanding of referrals. +#referral ldap://root.openldap.org + +pidfile /var/run/openldap/slapd.pid +argsfile /var/run/openldap/slapd.args + +# Load dynamic backend modules: +# modulepath /usr/lib/openldap/openldap +# moduleload back_bdb.la +# moduleload back_ldap.la +# moduleload back_ldbm.la +# moduleload back_passwd.la +# moduleload back_shell.la + +# Sample security restrictions +# Require integrity protection (prevent hijacking) +# Require 112-bit (3DES or better) encryption for updates +# Require 63-bit encryption for simple bind +# security ssf=1 update_ssf=112 simple_bind=64 + +# Sample access control policy: +# Root DSE: allow anyone to read it +# Subschema (sub)entry DSE: allow anyone to read it +# Other DSEs: +# Allow self write access +# Allow authenticated users read access +# Allow anonymous users to authenticate +# Directives needed to implement policy: +# access to dn.base="" by * read +# access to dn.base="cn=Subschema" by * read +# access to * +# by self write +# by users read +# by anonymous auth +# +# if no access controls are present, the default policy +# allows anyone and everyone to read anything but restricts +# updates to rootdn. (e.g., "access to * by * read") +# +# rootdn can always read and write EVERYTHING! + +####################################################################### +# BDB database definitions +####################################################################### + +database bdb +checkpoint 32 30 # <kbyte> <min> +suffix "o=Linux strongSwan,c=CH" +rootdn "cn=Manager,o=Linux strongSwan,c=CH" +# Cleartext passwords, especially for the rootdn, should +# be avoid. See slappasswd(8) and slapd.conf(5) for details. +# Use of strong authentication encouraged. +rootpw tuxmux +# The database directory MUST exist prior to running slapd AND +# should only be accessible by the slapd and slap tools. +# Mode 700 recommended. +directory /var/lib/openldap-data +# Indices to maintain +index objectClass eq diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl new file mode 100755 index 000000000..5a8fd7782 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/generate-crl @@ -0,0 +1,35 @@ +#! /bin/sh +# generate a certificate revocation list (CRL) for the strongswan CA. +# +# Copyright (C) 2004 Andreas Steffen +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: generate-crl,v 1.2 2005/03/24 11:19:38 as Exp $ + +export COMMON_NAME=strongSwan + +cd /etc/openssl +openssl ca -config /etc/openssl/openssl.cnf -gencrl -out crl.pem +openssl crl -in crl.pem -outform der -out strongswan.crl +cp strongswan.crl /var/www/localhost/htdocs/ +cp strongswanCert.pem /var/www/localhost/htdocs/ +cp index.html /var/www/localhost/htdocs/ +cd /etc/openssl/research +openssl ca -config /etc/openssl/research/openssl.cnf -gencrl -out crl.pem +openssl crl -in crl.pem -outform der -out research.crl +cp research.crl /var/www/localhost/htdocs/ +cd /etc/openssl/sales +openssl ca -config /etc/openssl/sales/openssl.cnf -gencrl -out crl.pem +openssl crl -in crl.pem -outform der -out sales.crl +cp sales.crl /var/www/localhost/htdocs/ + diff --git a/testing/hosts/winnetou/etc/openssl/index.html b/testing/hosts/winnetou/etc/openssl/index.html new file mode 100644 index 000000000..1641768ae --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.html @@ -0,0 +1,36 @@ +<html> +<head> + <title>strongSwan Web Services</title> + <base target="_self"> +</head> + +<body bgcolor="#FFFFFF"> +<table border=0 cellpadding=0 cellspacing=0 width=600> + +<tr><td> + <h2>strongSwan Certification Authority</h2> + <ul> + <li> + <a href="strongswanCert.pem">Root CA Certificate</a> + </li> + </ul> + <ul> + <li> + <a href="strongswan.crl">Certificate Revocation List (CRL)</a> + </li> + </ul> + + <h2>strongSwan UML Testing Environment</h2> + <ul> + <li> + <a href="testresults/">UML Test Results</a> + </li> + </ul> + <a href="images/umlArchitecture_large.png" target="_blank"> + <img src="images/umlArchitecture_small.png" border="0"> + </a> + <hr> + <address>Linux strongSwan (<a href="http://www.strongswan.org">www.strongswan.org</a>)</address> +</td></tr> +</table> +</body> diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt new file mode 100644 index 000000000..4db6c2924 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -0,0 +1,15 @@ +V 090909111334Z 01 unknown /C=CH/O=Linux strongSwan/CN=mars.strongswan.org +V 090909111553Z 02 unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org +V 090909111725Z 03 unknown /C=CH/O=Linux strongSwan/CN=moon.strongswan.org +V 090909111826Z 04 unknown /C=CH/O=Linux strongSwan/CN=venus.strongswan.org +V 090909112439Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org +V 090909112534Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org +R 090909112548Z 041226135423Z 07 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 090909112651Z 08 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org +V 091118162928Z 09 unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org +V 091231214318Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 100216084430Z 0B unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org +R 140321062536Z 050621195214Z 0C unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +V 140321062916Z 0D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 100607191714Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org +V 100620195806Z 0F unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.attr b/testing/hosts/winnetou/etc/openssl/index.txt.attr new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/index.txt.attr.old new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old new file mode 100644 index 000000000..669702b0c --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -0,0 +1,14 @@ +V 090909111334Z 01 unknown /C=CH/O=Linux strongSwan/CN=mars.strongswan.org +V 090909111553Z 02 unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org +V 090909111725Z 03 unknown /C=CH/O=Linux strongSwan/CN=moon.strongswan.org +V 090909111826Z 04 unknown /C=CH/O=Linux strongSwan/CN=venus.strongswan.org +V 090909112439Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=alice@strongswan.org +V 090909112534Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=bob@strongswan.org +R 090909112548Z 041226135423Z 07 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 090909112651Z 08 unknown /C=CH/O=Linux strongSwan/OU=Accounting/CN=dave@strongswan.org +V 091118162928Z 09 unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/CN=ocsp.strongswan.org +V 091231214318Z 0A unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 100216084430Z 0B unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org +R 140321062536Z 050621195214Z 0C unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +V 140321062916Z 0D unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 100607191714Z 0E unknown /C=CH/O=Linux strongSwan/CN=winnetou.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/newcerts/01.pem new file mode 100644 index 000000000..bf4ba9375 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/01.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIBATANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTMzNFoXDTA5MDkwOTExMTMzNFowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21hcnMu +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA +zRlshdPlLggS7bpAlovamLpk9pxYUv3c8J4W0kV4knMPbSJywfctpce95iPZfU6V +ICV0fVOn/0utJG+0lMTYwcf5zvyIDPDccfsTT3WI+/PcaUpU6E5aaPAZxDG4na6w +UVUKiRcOyiuyXanulnu+b48nM7MgoMVZNDWY5q15enEZh1oO2Fy0DlKwweDKEuAi +8xSnu2RcZBFSZMDBCRCt3QgHGZygrzjP3vN6IgbvHL+YWIycMi5yiJR5EoCE6D17 +AT1dh0C8R9m1a0LUK8cKiN+akZQlK/AHYOCu77fg1vz84dMDRIs2PCUs6Ww/fvqy +N4r1BXg8XKTVH0zmqfQLAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQUbUWd4UeHwbTxn0Kr9io4nUGz6eAwbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbWFycy5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g +LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G +CSqGSIb3DQEBBAUAA4IBAQBY0ab/r6K40Gni/db8apZGJqoO3XFPE4K7wi46LNZq +gB3mQgazLkf48luj06rcfux+vC/2W3DyqAtKD5JRccL0A5yxY55p3rrCNvz76Y9H +0AkVledhZTjd7SxdtsfxlRuok4nACwQii9GXcfs8qBc5QE8ZQRAtPwRxVx8hE19n +D3AllTSukJSC6nPJHf+4FXz1Dxt3aFZOnkJM4qERBjFREYE4jGLaz71HNNKshsYy +2UuwLAqsQk6zYogrJgpWLIuMVE2GHoth/rjpkzK/ErAwcV4OgMNdA1bHGl94soDy +zryvlFj1zaqlvdKayWATnrAQQTQeeYz3i0wF95CNR22b +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/newcerts/02.pem new file mode 100644 index 000000000..e7825e3db --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/02.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIECzCCAvOgAwIBAgIBAjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTU1M1oXDTA5MDkwOTExMTU1M1owRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN1bi5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOQ8 +foB9h5BZ92gA5JkQTJNuoF6FAzoq91Gh7To27/g74p01+SUnsSaBfPmNfGp4avdS +Ewy2dWMA/7uj0Dbe8MEKssNztp0JQubp2s7n8mrrQLGsqB6YAS09l75XDjS3yqTC +AtH1kD4zAl/j/AyeQBuLR4CyJEmC/rqD3/a+pr42CaljuFBgBRpCTUpU4mlslZSe +zv9wu61PwTFxb8VDlBHUd/lwkXThKgU3uEhWRxLahpSldEGmiTTmx30k/XbOMF2n +HObEHt5EY9uWRGGbj81ZRWiNk0dNtbpneUHv/NvdWLc591M8cEGEQdWW2XTVbL2G +N67q8hdzGgIvb7QJPMcCAwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQ9xLkyCBbyQmRet0vvV1Fg6z5q2DBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dhbi5vcmcwOQYDVR0fBDIwMDAuoCyg +KoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuLmNybDANBgkq +hkiG9w0BAQQFAAOCAQEAGQQroiAa0SwwhJprGd7OM+rfBJAGbsa3DPzFCfHX1R7i +ZyDs9aph1DK+IgUa377Ev1U7oB0EldpmOoJJugCjtNLfpW3t1RXBERL/QfpO2+VP +Wt3SfZ0Oq48jiqB1MVLMZRPCICZEQjT4sJ3HYs5ZuucuvoxeMx3rQ4HxUtHtMD3S +5JNMwFFiOXAjyIyrTlb7YuRJTT5hE+Rms8GUQ5Xnt7zKZ7yfoSLFzy0/cLFPdQvE +JA7w8crODCZpDgEKVHVyUWuyt1O46N3ydUfDcnKJoQ9HWHm3xCbDex5MHTnvm1lk +Stx71CGM7TE6VPy028UlrSw0JqEwCVwstei2cMzwgA== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/03.pem b/testing/hosts/winnetou/etc/openssl/newcerts/03.pem new file mode 100644 index 000000000..d8fbfa1c9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/03.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDTCCAvWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTcyNVoXDTA5MDkwOTExMTcyNVowRjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u +c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCv +ri4QmsCnG0N7bxqeUZTQhcmZ/iyN4RsmHwFsiOc06xpnZ7Fbx9gzi/OswU6KGL+F +f9PfvOY36bDTZU8V2QaL30RQUXz3JlG+jUyP9zjqlhsvVYS/cImvqgo3uUkQ0YCD +v2SafTlaQfBOaPFElNEP/H2YSiyB6X80IcHsOMYpskVqPY8785FehjF+pxuyRCK+ +9HXmd+iWdnC09u4qgKRa3L0IamU3q1/BK/afkHK2IAIN4YgM7GzepHVD0f7Exf9U +esJEeh4hDZwSjcMzdybrY9XBxzGqLGPOF128jr+5weUZiBW+RzeBw/gsK1nSPeuX +Od2lPJjTGj+6V3YK6qibAgMBAAGjggEFMIIBATAJBgNVHRMEAjAAMAsGA1UdDwQE +AwIDqDAdBgNVHQ4EFgQU5eQQh2wqxL6thUlCpt52WDA6n8EwbQYDVR0jBGYwZIAU +XafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQK +ExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GC +AQAwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzA5BgNVHR8EMjAwMC6g +LKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0G +CSqGSIb3DQEBBAUAA4IBAQAvLykhZnqldrsMcbYB36WzWKk+hOihr5dU3fv8Z4ec +tsa3gzxXSefDCxGoezVJ4QXdpdNxxFn31A+r1gxKyGI5JL6EyWz6Y462zp9lE7nW +EIC4ldJwxAXqzDEMcJphO29hApyU9TWsWDa4kL5AKtLFLwH3/Uv/jAzAy+qXIO8h +wLtB+wcmhSo8OFY9kX/cyhht7eb7yD/r2e3wVBOCRk7jePe4yWhN8NJAKwfrEd1K +iGq15ymdmeomhplHRsLZwA2VsCspUNZ/eXjG21s3nEoxcCOcQUz3Q7q4ZgBTZoCW +kAc6FQ5zxoZrmzNWFqzb06jmUVlt7baGtdjT7rEt+dcp +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/04.pem b/testing/hosts/winnetou/etc/openssl/newcerts/04.pem new file mode 100644 index 000000000..25a6941b0 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/04.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEDzCCAvegAwIBAgIBBDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMTgyNloXDTA5MDkwOTExMTgyNlowRzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHTAbBgNVBAMTFHZlbnVz +LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +mlQ2s9J7bw73onkw0ZwwcM2JDJuU3KmmuzETlmLdtg7m8yFCdhoDg6cxrsIvPAWy +Gs++1e+1qzy7LTnNHckaHHFwJQf0JoIGE1bbUrJidX8B1T3sDdvZFbyfmQTWSEyJ +thrdqdPS92VJW/9XQOPeEhudIHr+NtWQfCm3OQFKDXGCEkHOjpVNHn3BPUiL99ON +FiLZX3gZy6vTERpEE8ga66fHtpM3RJfIxYoUQUdRw8iIa8iOvRGtJa/MfOWX6L/H +wquRv3SuCl4iMSph7e/VE+z5xx3OyKSAki914DgRFnQITKjyGxw1lORlDQlZy2w/ +nu0BAbXS1pb/2AiF8jDpbQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADALBgNVHQ8E +BAMCA6gwHQYDVR0OBBYEFEqPlXBYJh1knX0Q61HMcn9LOZ6sMG0GA1UdIwRmMGSA +FF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UE +ChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENB +ggEAMB8GA1UdEQQYMBaCFHZlbnVzLnN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAw +LqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmww +DQYJKoZIhvcNAQEEBQADggEBAEx3kXh2Z5CMH+tX6cJPyi6gSeOgXy7NBiNsEdXN +rwGp4DwN6uiSog4EYZJA203oqE3eaoYdBXKiOGvjW4vyigvpDr8H+MeW2HsNuMKX +PFpY4NucV0fJlzFhtkp31zTLHNESCgTqNIwGj+CbN0rxhHGE6502krnu+C12nJ7B +fdMzml1RmVp4JlZC5yfiTy0F2s/aH+8xQ2x509UoD+boNM9GR+IlWS2dDypISGid +hbM4rpiMLBj2riWD8HiuljkKQ6LemBXeZQXuIPlusl7cH/synNkHk8iiALM8xfGh +wTEmdo5Tp5sDI3cj3LVvhcsTxjiOA81her1F0itlxpEA/gA= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/05.pem b/testing/hosts/winnetou/etc/openssl/newcerts/05.pem new file mode 100644 index 000000000..e99ae8ec7 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/05.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHzCCAwegAwIBAgIBBTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjQzOVoXDTA5MDkwOTExMjQzOVowVzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MR0wGwYDVQQDFBRhbGljZUBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAK7FyvkE18/oujCaTd8GXBNOH+Cvoy0ibJ8j2sNsBrer +GS1lgxRs8zaVfK9fosadu0UZeWIHsOKkew5469sPvkKK2SGGH+pu+x+xO/vuaEG4 +FlkAu8iGFWLQycLt6BJfcqw7FT8rwNuD18XXBXmP7hRavi/TEElbVYHbO7lm8T5W +6hTr/sYddiSB7X9/ba7JBy6lxmBcUAx5bjiiHLaW/llefkqyhc6dw5nvPZ2DchvH +v/HWvLF9bsvxbBkHU0/z/CEsRuMBI7EPEL4rx3UqmuCUAqiMJTS3IrDaIlfJOLWc +KlbsnE6hHpwmt9oDB9iWBY9WeZUSAtJGFw4b7FCZvQ0CAwEAAaOCAQYwggECMAkG +A1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRZmh0JtiNTjBsQsfD7ECNa +60iG2jBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkG +A1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0 +cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRhbGljZUBzdHJvbmdzd2Fu +Lm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3Jn +L3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQADdQIlJkFtmHEjtuyo +2aIcrsUx98FtvVgB7RpQB8JZlly7UEjvX0CIIvW/7Al5/8h9s1rhrRffX7nXQKAQ +AmPnvD2Pp47obDnHqm/L109S1fcL5BiPN1AlgsseUBwzdqBpyRncPXZoAuBh/BU5 +D/1Dip0hXgB/X6+QymSzRJoSKfpeXVICj1kYH1nIkn0YXthYF3BTrCheCzBlKn0S +CixbCUYsUjtSqld0nG76jyGb/gnWntNettH+RXWe1gm6qREJwfEFdeYviTqx2Uxi +6sBKG/XjNAcMArXb7V6w0YAwCyjwCl49B+mLZaFH+9izzBJ7NyVqhH8ToB1gt0re +JGhV +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/newcerts/06.pem new file mode 100644 index 000000000..199d3eee2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/06.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEHjCCAwagAwIBAgIBBjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjUzNFoXDTA5MDkwOTExMjUzNFowWDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRswGQYDVQQDFBJib2JAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDAJaejS3/lJfQHgw0nzvotgSQS8ey/6tvbx7s5RsWY +27x9K5xd44aPrvP2Qpyq34IXRY6uPlIqeUTQN7EKpLrWCxMOT36x5N0Co9J5UWRB +fJC141D+8+1RwJ9/baEIecpCvb0GfDOX0GXN5ltcJk82hZjE4y1yHC1FN7V3zdRg +xmloupPuon+X3bTmyMQ93NKkg48CQGtqtfwQ0MqPiOWu8MBhdztfOyu6aW3EgviF +ithLc02SeNzlpqB3M8GDfX+mr3OVDhhhC2OI+VRlZzz7KxJ13DUR2KkvLZR8Ak4E +5lRjkUnTYd/f3OQYxfjC8idUmj5ojR6Fb0x1tsV/glzXAgMBAAGjggEEMIIBADAJ +BgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUaLN5EPOkOkVU3J1Ud0sl ++27OOHswbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJ +BgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJz +dHJvbmdTd2FuIFJvb3QgQ0GCAQAwHQYDVR0RBBYwFIESYm9iQHN0cm9uZ3N3YW4u +b3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcv +c3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIyQLLxdeO8clplzRW9z +TRR3J0zSedvi2XlIZ/XCsv0ZVfoBLLWcDp3QrxNiVZXvXXtzjPsDs+DAveZF9LGq +0tIw1uT3JorbgNNrmWvxBvJoQTtSw4LQBuV7vF27jrposx3Hi5qtUXUDS6wVnDUI +5iORqsrddnoDuMN+Jt7oRcvKfYSNwTV+m0ZAHdB5a/ARWO5UILOrxEA/N72NcDYN +NdAd+bLaB38SbkSbh1xj/AGnrHxdJBF4h4mx4btc9gtBSh+dwBHOsn4TheqJ6bbw +7FlXBowQDCJIswKNhWfnIepQlM1KEzmq5YX43uZO2b7amRaIKqy2vNE7+UNFYBpE +Mto= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/newcerts/07.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/07.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/08.pem b/testing/hosts/winnetou/etc/openssl/newcerts/08.pem new file mode 100644 index 000000000..abd1554e5 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/08.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 +bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx +2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2 +LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE +RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF +UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/ +98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB +ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq ++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy +8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9 +Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR +P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV +UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt +0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT +5qILUTmI +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/09.pem b/testing/hosts/winnetou/etc/openssl/newcerts/09.pem new file mode 100644 index 000000000..6ca9a58a4 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/09.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIBCTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MTExOTE2MjkyOFoXDTA5MTExODE2MjkyOFowZzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag +U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqJ0y0yhF4iEygd8M73wNC +8RO590BqiD3Z3x9/5GSVCgfm+ao4hcg6CogNGicu4ybzgPoHt0V/El4D8JRkM8QB +pg/R7WI4L1ndSZGgTHcQ1vViXGr4PUsIiUR/EgVCSFs8+6Z73J4bJeMomy27Hn9w +s4leHbrqK87btA2TETV3UlCaDXC6NF8321ZH+D+8OFQaQ0SqKrThKMVYSTf+QdpX +BlI9vtce1SyS6Kiy4WLdXAt8mO7x+UjaVEzFNyi6SXb9FAGVvO9OXi3+mxm9eK2g ++s1kA4jqDvL17JftvJLKzFZ5irEuTe2+wHdQbwtlOkW1JFAsGL4O+r4NIoBuMBZF +AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU +iAcKuK7HwQdcvmhqxKV/gR83tVYwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg +YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT +d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT +b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E +MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u +Y3JsMA0GCSqGSIb3DQEBBAUAA4IBAQA4jOyh+neFCkXMZ1gK0o98qkBr3vYEO2a0 +wb2hDv8Alx6T5kwLgdhAzZ5urZpAdiWF3NWE+z9KnEWnpep9MRDXNM8uBglgBO2v +SAmV1BXNw2ZDe63w6QvQnezgUuWkrTShfduEDmb8j5jVdzoY+kTKwjLYHPG0Ec79 +Os3PPqXlfeUOkzWnhGVP2EtHCj8SppMdA/XIuwIq8aLN14SITi6gvo/cDMa5N6sT +Q/UBAOWsxbLReaD7l5OXnAJOg3t/RM36vpRqPseGaAgrKy8805QDU2RxsCHrxwzF +Wi/17J6nmX3e4PuwqPAI/4MsHlFdExRvSq/gXBN/Ib4AHGkUr0/q +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem new file mode 100644 index 000000000..8492fbd45 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0A.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX +T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl +vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii +S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW +LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM +YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD +j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI +U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM +2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE +HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd +hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG +C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK +omBYfxqp +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem new file mode 100644 index 000000000..3c5c5d91d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0B.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv +cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI +wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6 +dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC +fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB +CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf +NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC +AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6 +5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq +Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh +QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry +b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg +CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR +aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY +ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw +YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v +Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov +wTLSA/z7c8nVCVoZI9Y= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem new file mode 100644 index 000000000..c380a5110 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0C.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1 +LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa +6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN +T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r +9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL +cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq +YO2C4HE= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0D.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem new file mode 100644 index 000000000..956c217d9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0E.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEFTCCAv2gAwIBAgIBDjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYwODE5MTcxNFoXDTEwMDYwNzE5MTcxNFowSjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAMTF3dpbm5l +dG91LnN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEAwBkz95BmByWVZaEW8cDbeuGr4C1caGAj4QPmuwaIriK+7XqXuh16Ahe3S5vZ +F56WhUSvMDOIyULckKH84oSa3Jx/SCz0g7X42x8vZuq92tpsjcP/u7BlyqpBUtLa +r14qm5wYw/1nQqMcSG3k9MQOQ+e9KgaGqpidxWM/8T4M/41AaFRBK2gQGBUULo26 +sjoq3af7Z2jYmWkP/kzj1CHLy9Mgt+UvhKeA+ag5cZnyOG596cqVjlKyqG7vdggk +wW2n+/KDpHNOndYfT7GMFeGXUNzJPkCImWlttic7ssi0mjP3q3MuOP3FNHIRMd2H +AcNcqT0bgdJHqnNzGv8C0Ei9XQIDAQABo4IBCTCCAQUwCQYDVR0TBAIwADALBgNV +HQ8EBAMCA6gwHQYDVR0OBBYEFEMS0mbhrA4zDvmfKf4MntUNxkH4MG0GA1UdIwRm +MGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcG +A1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290 +IENBggEAMCIGA1UdEQQbMBmCF3dpbm5ldG91LnN0cm9uZ3N3YW4ub3JnMDkGA1Ud +HwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ryb25nc3dhbi5vcmcvc3Ryb25nc3dh +bi5jcmwwDQYJKoZIhvcNAQEEBQADggEBACO4+j1Mwt/lbkopeSJst46uFh7OtegG +6IWNE30i3l3FIn9slSwAOMtmZR0hAF8sExvk61EPlzCR/d9trSJ5+gyjPkeF/enw +p61rxPMT13Grzomi9gYlk6Q/0zLmE9uYWEY69Q0bEIUcfdZfwB+F7kesa946JNMc +yHfVEhKtvzmns9ueG0S/8E+6MPDeJv+JHQ++SdWSvOVg6JNxXDGusnim2fjM2Aln +JmqA6iU4IaPl9DUCuXlLOVv/YhwhviNEbF94upyHq8xjOZdzPbKroHXg/2yvalAw +4aXc/ZsnFxqsq3i6a2Fj1Y4J7gYsNO/HwA0xvKz3loOTqHaJqO/qeow= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem b/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/0F.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspCert.pem b/testing/hosts/winnetou/etc/openssl/ocspCert.pem new file mode 100644 index 000000000..6ca9a58a4 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ocspCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQzCCAyugAwIBAgIBCTANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MTExOTE2MjkyOFoXDTA5MTExODE2MjkyOFowZzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHzAdBgNVBAsTFk9DU1Ag +U2lnbmluZyBBdXRob3JpdHkxHDAaBgNVBAMTE29jc3Auc3Ryb25nc3dhbi5vcmcw +ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqJ0y0yhF4iEygd8M73wNC +8RO590BqiD3Z3x9/5GSVCgfm+ao4hcg6CogNGicu4ybzgPoHt0V/El4D8JRkM8QB +pg/R7WI4L1ndSZGgTHcQ1vViXGr4PUsIiUR/EgVCSFs8+6Z73J4bJeMomy27Hn9w +s4leHbrqK87btA2TETV3UlCaDXC6NF8321ZH+D+8OFQaQ0SqKrThKMVYSTf+QdpX +BlI9vtce1SyS6Kiy4WLdXAt8mO7x+UjaVEzFNyi6SXb9FAGVvO9OXi3+mxm9eK2g ++s1kA4jqDvL17JftvJLKzFZ5irEuTe2+wHdQbwtlOkW1JFAsGL4O+r4NIoBuMBZF +AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU +iAcKuK7HwQdcvmhqxKV/gR83tVYwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXg +YOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdT +d2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYIT +b2NzcC5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTA5BgNVHR8E +MjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4u +Y3JsMA0GCSqGSIb3DQEBBAUAA4IBAQA4jOyh+neFCkXMZ1gK0o98qkBr3vYEO2a0 +wb2hDv8Alx6T5kwLgdhAzZ5urZpAdiWF3NWE+z9KnEWnpep9MRDXNM8uBglgBO2v +SAmV1BXNw2ZDe63w6QvQnezgUuWkrTShfduEDmb8j5jVdzoY+kTKwjLYHPG0Ec79 +Os3PPqXlfeUOkzWnhGVP2EtHCj8SppMdA/XIuwIq8aLN14SITi6gvo/cDMa5N6sT +Q/UBAOWsxbLReaD7l5OXnAJOg3t/RM36vpRqPseGaAgrKy8805QDU2RxsCHrxwzF +Wi/17J6nmX3e4PuwqPAI/4MsHlFdExRvSq/gXBN/Ib4AHGkUr0/q +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/ocspKey.pem b/testing/hosts/winnetou/etc/openssl/ocspKey.pem new file mode 100644 index 000000000..aa04e24c6 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/ocspKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAqidMtMoReIhMoHfDO98DQvETufdAaog92d8ff+RklQoH5vmq +OIXIOgqIDRonLuMm84D6B7dFfxJeA/CUZDPEAaYP0e1iOC9Z3UmRoEx3ENb1Ylxq ++D1LCIlEfxIFQkhbPPume9yeGyXjKJstux5/cLOJXh266ivO27QNkxE1d1JQmg1w +ujRfN9tWR/g/vDhUGkNEqiq04SjFWEk3/kHaVwZSPb7XHtUskuiosuFi3VwLfJju +8flI2lRMxTcoukl2/RQBlbzvTl4t/psZvXitoPrNZAOI6g7y9eyX7bySysxWeYqx +Lk3tvsB3UG8LZTpFtSRQLBi+Dvq+DSKAbjAWRQIDAQABAoIBAC9SnMfPR0qhhcY/ +aMIXBT4x9E2NUZIPcDxPDOCx8bNtxcLcfxYXRxe1ZB9YvbsRm/yvS1qoAyETR6iK +2YqAxyu6Nr4o6l879B9SXbkaayb40ehYUbvWuC6Ylr9MkL/dhdqRFr1uH17ni6T4 +e6CGG+WJWVQeqqSEKJT8H6Zea+NSQi9UOsVgKIMiXr52j3hj8LraH/4FoOPlgg3r +mqrVcQlDYLtt+cufpFJLGzJhTylqlWCRWA6nwKFl8zZqGNaCswKkC3Ql47vlAmQT +ETl4MMpVsmezC8OcursRmgPJzRudnGg6RLyfTff9b/wFmIujvJLYeN/ILRFvFGkq +kiIWNIUCgYEA27y3N6lHJ8ommqquoyAVfQpc5Y1gFFXoE8VzkO1ts5B0N6r2DVvy +DFUT3cSWdBOsF2MykTnyAC0dVXRXTCTEI2AqdmgITOzs3Ydr0XlOPmuM3dOO060F +I9x4GsCpVcV/zWBZfJyUhNQqxpozrWNvHVgxrEc8pjD29iMLf+EsP2cCgYEAxjvP +9uQjRxWv3/5ZVEOpBnecZe+ysg0CgK0zt+nogTAn7ET27FFeW8BjcR6g+r57n9cu +X6EGdxuLexwoqvt3dO/rBF74knTe4ElDzEhcAoxnZPnJrJ6aST0KZ7lGoX5UW7wp +eyW7HXKpd1THY40v7aHhaSr4362kMTFpPvxxrXMCgYAkDa2+Kz8qjyeQXwryZvQ/ +pPCjFXQ7QfEnNVGF6P8D5GK9M4bVoE1xqo/s5jGNcCDfYX5Nh8VmNADJIaKlMq8f +4sp0zRL3lDQ1EOAm6ZFl+n2NdAXOQ2hBfw4RzaS7FwGmL/Xe1U4lES7HkUuDWnpD +xVG5I6MW3ZfXwN5FKCv7ZwKBgByIVWmq8qzzoSnzeTYYuwZ0Ru2hL65TEw4kX/JT +16RoowZt8sCXAabhLS8GApO0wSSDm2gmTEDulQf2SKA7q7kII2KwrMSfz8imovyP +WbcAMI2nKnEPLxPllk7RqynpfgjqL2pLRwB5FY1YhY59ru1cRI6XodTIMH7oJsbr +HQ2jAoGADHlVLAf9hQTYMrLCaO4mjOlJwRa19e1l47o4Lt1H+cGh96Jc4i7Hfkmv +e/j/ZF4XqtjvmZIR2xevL2+/pPVuMYV0hEWyDQzoUgM6OXF4smSG3N+SrDTSmM8I +XE9Ohc2JL3IKWN8SarsTUCrqle7UakmbYTUJqH9bJwGyvm3Ro1o= +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/openssl.cnf b/testing/hosts/winnetou/etc/openssl/openssl.cnf new file mode 100644 index 000000000..dbe31abbd --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/openssl.cnf @@ -0,0 +1,182 @@ +# openssl.cnf - OpenSSL configuration file for the ZHW PKI +# Mario Strasser <mario.strasser@zhwin.ch> +# +# $Id: openssl.cnf,v 1.2 2005/08/15 21:25:22 as Exp $ +# + +# This definitions were set by the ca_init script DO NOT change +# them manualy. +CAHOME = /etc/openssl +RANDFILE = $CAHOME/.rand + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] +SmartcardLogin = 1.3.6.1.4.1.311.20.2 +ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 + +#################################################################### + +[ ca ] +default_ca = root_ca # The default ca section + +#################################################################### + +[ root_ca ] + +dir = $CAHOME +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/strongswanCert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/strongswanKey.pem # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = host_ext # The extentions to add to the cert + +crl_extensions = crl_ext # The extentions to add to the CRL + +default_days = 1825 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = md5 # which md to use. +preserve = no # keep passed DN ordering +email_in_dn = no # allow/forbid EMail in DN + +policy = policy_match # specifying how similar the request must look + +#################################################################### + +# the 'match' policy +[ policy_match ] +countryName = match +stateOrProvinceName = optional +localityName = optional +organizationName = match +organizationalUnitName = optional +userId = optional +serialNumber = optional +commonName = supplied +emailAddress = optional + +# the 'anything' policy +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ca_ext # The extentions to add to the self signed cert +# req_extensions = v3_req # The extensions to add to a certificate request + + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +#################################################################### + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +#stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = ZH + +#localityName = Locality Name (eg, city) +#localityName_default = Winterthur + +organizationName = Organization Name (eg, company) +organizationName_default = Linux strongSwan + +0.organizationalUnitName = Organizational Unit Name (eg, section) +#0.organizationalUnitName_default = Research + +#1.organizationalUnitName = Type (eg, Staff) +#1.organizationalUnitName_default = Staff + +#userId = UID + +commonName = Common Name (eg, YOUR name) +commonName_default = $ENV::COMMON_NAME +commonName_max = 64 + +#0.emailAddress = Email Address (eg, foo@bar.com) +#0.emailAddress_min = 0 +#0.emailAddress_max = 40 + +#1.emailAddress = Second Email Address (eg, foo@bar.com) +#1.emailAddress_min = 0 +#1.emailAddress_max = 40 + +#################################################################### + +[ req_attributes ] + +#################################################################### + +[ host_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigner +crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl + +#################################################################### + +[ user_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = email:$ENV::COMMON_NAME +crlDistributionPoints = URI:http://crl.strongswan.org/strongswan.crl + +#################################################################### + +[ ca_ext ] + +basicConstraints = critical, CA:TRUE +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always + +#################################################################### + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +#issuerAltName = issuer:copy +authorityKeyIdentifier = keyid:always, issuer:always + +# eof diff --git a/testing/hosts/winnetou/etc/openssl/research/.rand b/testing/hosts/winnetou/etc/openssl/research/.rand Binary files differnew file mode 100644 index 000000000..7479c2979 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/.rand diff --git a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem new file mode 100644 index 000000000..f2a6b5c22 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u +Z1N3YW4xETAPBgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdz +d2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1 +ID41edDUgUjRdZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh +8ZcR+TT8x0mOdYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+D +Jl9XK9TtId5u57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yq +GdPWODaN/Enw5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1a +X7+M+IeYVwjIhzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4F +jR8nhH4ApYMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQA9OKM8HKu5Fp/HRsdS +3Z/tuLVjwijVq/OIge1PnoW7Ri2hnTpWeaWcU2wIexsxPJR6kYwqp9NfxM73uUUU +e/ROCU+kZxSuzfV3SMMI8bsjufuldxKUXs1B8Nit1Qkhhj1/4uN6FRzQ5E9vz0Yf +OuVVJxMIEgQRdBTcZ8Cuf23Mcq+sBa/2OXD/y6WTUNrXvjTjmGWv1LnryB6Ro8se +ndI7bIiMZ/sSOrhOWrii/655bpUSYIb0RCzOnbdNAevbn/bLMEpj0qiDSam88Y/6 +FIY5sDCsdlpHsI2vkIrvPo4PUE+yzBhezmrLbVoiHjVoZhr1h091777Bomg/oUxv +beEk +-----END CERTIFICATE REQUEST----- diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt new file mode 100644 index 000000000..4bd650072 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -0,0 +1,2 @@ +V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.attr b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.attr.old @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old new file mode 100644 index 000000000..148bab7d6 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -0,0 +1 @@ +V 100322070423Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/01.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem new file mode 100644 index 000000000..90e207c4b --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/02.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx +MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH +/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq +4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 +XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 +kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj +gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 +p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO +clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB +b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI +koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf +Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA +/szZoxwnE2iHtIoMAhfHZpRvOkg= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/openssl.cnf b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf new file mode 100644 index 000000000..b5afd3d2e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/openssl.cnf @@ -0,0 +1,181 @@ +# openssl.cnf - OpenSSL configuration file for the ZHW PKI +# Mario Strasser <mario.strasser@zhwin.ch> +# +# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $ +# + +# This definitions were set by the ca_init script DO NOT change +# them manualy. +CAHOME = /etc/openssl/research +RANDFILE = $CAHOME/.rand + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] +SmartcardLogin = 1.3.6.1.4.1.311.20.2 +ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 + +#################################################################### + +[ ca ] +default_ca = root_ca # The default ca section + +#################################################################### + +[ root_ca ] + +dir = $CAHOME +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/researchCert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/researchKey.pem # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = host_ext # The extentions to add to the cert + +crl_extensions = crl_ext # The extentions to add to the CRL + +default_days = 1825 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering +email_in_dn = no # allow/forbid EMail in DN + +policy = policy_match # specifying how similar the request must look + +#################################################################### + +# the 'match' policy +[ policy_match ] +countryName = match +stateOrProvinceName = optional +localityName = optional +organizationName = match +organizationalUnitName = optional +userId = optional +commonName = supplied +emailAddress = optional + +# the 'anything' policy +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ca_ext # The extentions to add to the self signed cert +# req_extensions = v3_req # The extensions to add to a certificate request + + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +#################################################################### + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +#stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = ZH + +#localityName = Locality Name (eg, city) +#localityName_default = Winterthur + +organizationName = Organization Name (eg, company) +organizationName_default = Linux strongSwan + +0.organizationalUnitName = Organizational Unit Name (eg, section) +0.organizationalUnitName_default = Research + +#1.organizationalUnitName = Type (eg, Staff) +#1.organizationalUnitName_default = Staff + +#userId = UID + +commonName = Common Name (eg, YOUR name) +commonName_default = $ENV::COMMON_NAME +commonName_max = 64 + +#0.emailAddress = Email Address (eg, foo@bar.com) +#0.emailAddress_min = 0 +#0.emailAddress_max = 40 + +#1.emailAddress = Second Email Address (eg, foo@bar.com) +#1.emailAddress_min = 0 +#1.emailAddress_max = 40 + +#################################################################### + +[ req_attributes ] + +#################################################################### + +[ host_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigner +crlDistributionPoints = URI:http://crl.strongswan.org/research.crl + +#################################################################### + +[ user_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = email:$ENV::COMMON_NAME +crlDistributionPoints = URI:http://crl.strongswan.org/research.crl + +#################################################################### + +[ ca_ext ] + +basicConstraints = critical, CA:TRUE +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always + +#################################################################### + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +#issuerAltName = issuer:copy +authorityKeyIdentifier = keyid:always, issuer:always + +# eof diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.der b/testing/hosts/winnetou/etc/openssl/research/researchCert.der Binary files differnew file mode 100644 index 000000000..2a52f620d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/researchCert.der diff --git a/testing/hosts/winnetou/etc/openssl/research/researchCert.pem b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/researchKey.pem b/testing/hosts/winnetou/etc/openssl/research/researchKey.pem new file mode 100644 index 000000000..5e6f030f9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/researchKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAtjmyOqbgB1tYpz9PslqFanL3G109seeAE3qVuelhod+vGcay ++YMUIVkcJ3t6BGpD8C4kcdwS/cNR18lZYDKlWdS92VynnyEGOnF9M9c/0gMHHNBp +DJTOwTEgZY5VRjZ7vEnkEoGddWSiTeG1jgevUZ2o2H7csSZt6AkGeBNFJHHg8onn +gU79vvwtTMH6szGvPHD+WcjyMSYC0qW6BDtz1q4x4ULP42aVJ+dKhaEc3mqb7SI0 +rLQL7bki4Tw2r6LeO0GIjwHAGodje7Yi5+VSH01z139Hq8axE8wezfRfUdr+bRSD +j3j7DCrB8QFlGPPEyYwX/VIbgjUTdMM4neyuOQIDAQABAoIBAA0xhjb66BOASJ3r +VpDaPvijFEMV8CaWVU6TvI12WUxIDrx2B3VLSUTU19X/+aiiLQMRxC++OF3JK37N +JDxzzkb/wTMgoz5BPNs0ZlU/i25gK76pVEHF8GZKcUcJFCF+Rl0umGXCnqzmOV4c +LnH3Gnl1SclK/h2RY7m+FYrSElp+COHYBnW0agLIfRv/fF/1yApBP6jGegEFXp5z +ZEwmmS2GbjVRq7ClqXfadQaPwRmGuueChq9S0DaY2z6/EAQJM/mHZYkeZGNTJqTk +KWY0RmFZlCXRIxs+hG1agPZ/jdRwnxghPDcpnNZHKXLyoQhUa9oXn+RuUxPdK/s3 +9nB30xECgYEA6snKErKb04Sj6sB0/ONMK3OENVcbBYZlhyzymuSgpFY8FhhyDFIG +H80eMGzlusvrBfV7OfJd17Mwuy0H3WBSGapbqXUa/vNc37VSGCiTObz/5RDhyU1N +6zq5RZKPVDgnJ3VBTEr8Ito6b5iZWtyaRw0e4Xv1K0tdQPTLe2TaAEUCgYEAxrA6 +A94jBZWMwrXrUa7DCi0Y7BPh8hbZwHH1qEr8xNALnXGHSA5BbhjqLkYCWP5GlvrC +G0TNrX1SMTv739wQL/GqvLTM1Jc/jrmPkLBymLNyweaKBXFt1qJDOdvtMwZdDo0y +9hKXfyCDMURi3JhP/GLzA3bUruw28njZYgWI92UCgYBSKHyKoG+Ay7hkTCZj29Hq +noiT9cAh5c6fR645X2mLOBXckX9PKmC0Ph2jSmf1PqgmNKmDNHl8IlsaFH7dC3iP +PJrIqI7iyhwkuBlbFM+385gD+y1XOLLcbncojkmTafbhitlnrhGezIiIRnjbX7io +xkGZG7xGAyBFu6N8sWTLlQKBgHdPN2c/KxSdWytJBofEQ8aGkiKhRdqTsiqHxBZN +AUBGFdNzauLv/IZaW7VxwNMjzcu3xHuPc1qsmICMHpGsmePQYNB0WVOHh1jzQKyH +6CieCVk6UMM3+9cZFPlXgTZUqeilDWcKfwKNyXn6MMt6gv1xhbAc2VY47j3oJ9Fe +tYKpAoGAAWY1MTen71hatSFA7UGweuTqok5vhp0CPtGwCXLNHUcEhy1Fc640EO9i +8i35fLA79haYWgpZ+GvrW9eYLPB8djidGSfzajc5C2CITHOrDQ6YQzKhwLjRHvB5 +gFQ8pdzFiXmSEvtfRwhoJvW19wdCZZx41VZ554ILOYrjtkntOB8= +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial new file mode 100644 index 000000000..75016ea36 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -0,0 +1 @@ +03 diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old new file mode 100644 index 000000000..9e22bcb8e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -0,0 +1 @@ +02 diff --git a/testing/hosts/winnetou/etc/openssl/sales/.rand b/testing/hosts/winnetou/etc/openssl/sales/.rand Binary files differnew file mode 100644 index 000000000..dd489598f --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/.rand diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt new file mode 100644 index 000000000..5093b34e9 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt @@ -0,0 +1,2 @@ +V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr new file mode 100644 index 000000000..8f7e63a34 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.attr @@ -0,0 +1 @@ +unique_subject = yes diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old new file mode 100644 index 000000000..7378ebb8a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old @@ -0,0 +1 @@ +V 100322071017Z 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/01.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem new file mode 100644 index 000000000..efb939e3a --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/02.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT +CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf +rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID +BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx +4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q +m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha +/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM +x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB +AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr +Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup +Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg +pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL +rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S +uaJ2yDwEhOHn3ihb1bqlanM= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf new file mode 100644 index 000000000..adb204bc2 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/openssl.cnf @@ -0,0 +1,181 @@ +# openssl.cnf - OpenSSL configuration file for the ZHW PKI +# Mario Strasser <mario.strasser@zhwin.ch> +# +# $Id: openssl.cnf,v 1.1 2005/03/24 11:24:07 as Exp $ +# + +# This definitions were set by the ca_init script DO NOT change +# them manualy. +CAHOME = /etc/openssl/sales +RANDFILE = $CAHOME/.rand + +# Extra OBJECT IDENTIFIER info: +oid_section = new_oids + +[ new_oids ] +SmartcardLogin = 1.3.6.1.4.1.311.20.2 +ClientAuthentication = 1.3.6.1.4.1.311.20.2.2 + +#################################################################### + +[ ca ] +default_ca = root_ca # The default ca section + +#################################################################### + +[ root_ca ] + +dir = $CAHOME +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/salesCert.pem # The CA certificate +serial = $dir/serial # The current serial number +crl = $dir/crl.pem # The current CRL +private_key = $dir/salesKey.pem # The private key +RANDFILE = $dir/.rand # private random number file + +x509_extensions = host_ext # The extentions to add to the cert + +crl_extensions = crl_ext # The extentions to add to the CRL + +default_days = 1825 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = sha1 # which md to use. +preserve = no # keep passed DN ordering +email_in_dn = no # allow/forbid EMail in DN + +policy = policy_match # specifying how similar the request must look + +#################################################################### + +# the 'match' policy +[ policy_match ] +countryName = match +stateOrProvinceName = optional +localityName = optional +organizationName = match +organizationalUnitName = optional +userId = optional +commonName = supplied +emailAddress = optional + +# the 'anything' policy +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = ca_ext # The extentions to add to the self signed cert +# req_extensions = v3_req # The extensions to add to a certificate request + + +# This sets a mask for permitted string types. There are several options. +# default: PrintableString, T61String, BMPString. +# pkix : PrintableString, BMPString. +# utf8only: only UTF8Strings. +# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings). +# MASK:XXXX a literal mask value. +# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings +# so use this option with caution! +string_mask = nombstr + +# req_extensions = v3_req # The extensions to add to a certificate request + +#################################################################### + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = CH +countryName_min = 2 +countryName_max = 2 + +#stateOrProvinceName = State or Province Name (full name) +#stateOrProvinceName_default = ZH + +#localityName = Locality Name (eg, city) +#localityName_default = Winterthur + +organizationName = Organization Name (eg, company) +organizationName_default = Linux strongSwan + +0.organizationalUnitName = Organizational Unit Name (eg, section) +0.organizationalUnitName_default = Sales + +#1.organizationalUnitName = Type (eg, Staff) +#1.organizationalUnitName_default = Staff + +#userId = UID + +commonName = Common Name (eg, YOUR name) +commonName_default = $ENV::COMMON_NAME +commonName_max = 64 + +#0.emailAddress = Email Address (eg, foo@bar.com) +#0.emailAddress_min = 0 +#0.emailAddress_max = 40 + +#1.emailAddress = Second Email Address (eg, foo@bar.com) +#1.emailAddress_min = 0 +#1.emailAddress_max = 40 + +#################################################################### + +[ req_attributes ] + +#################################################################### + +[ host_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = DNS:$ENV::COMMON_NAME +#extendedKeyUsage = OCSPSigner +crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl + +#################################################################### + +[ user_ext ] + +basicConstraints = CA:FALSE +keyUsage = digitalSignature, keyEncipherment, keyAgreement +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +subjectAltName = email:$ENV::COMMON_NAME +crlDistributionPoints = URI:http://crl.strongswan.org/sales.crl + +#################################################################### + +[ ca_ext ] + +basicConstraints = critical, CA:TRUE +keyUsage = cRLSign, keyCertSign +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always + +#################################################################### + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +#issuerAltName = issuer:copy +authorityKeyIdentifier = keyid:always, issuer:always + +# eof diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.der b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der Binary files differnew file mode 100644 index 000000000..529fd2d45 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/salesCert.der diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem b/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem new file mode 100644 index 000000000..96dab2928 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/salesKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAwk5NJpmMN7lRH6Eluh1wTjRYHFab6vQWIP4UtzZzSEf9Bxab +Vd+qdz2po88ajE7YF/BeAUQd851DMca62GGy90w+SZY/Vne4OvCxyquYvKrgkjzt +7FJ6fWCCYJUSJvnlPh83GtMgYlqh7omf2/1nAbYH5SvecUD/B1yRJ2onFzpcv0Mp +xGTdPFm2/1K4N+0T0bvzs7o8lLJ/JRiGV3PURl7k9OxSgBsEnQMNcnHfnraQO19B +3B7Nq3QsDI6xVptir/Qb98FnAst6vioYXb7cKy8/uM1eeFFh5K/b7iLaYCOBsFEj +UDeKqhTc2rW88CrOt6Q4j9FX0et70vWvxfV0gQIDAQABAoIBACypguJUeP52Akea +6ukUyzOupHIfFkezQ0LiJDDYuzbqFScD80CR4MT3z35vpFKL7O/TuEfiOGA+zasr +WtdR3akqRUb02iot6pLhsHw9ZSY4wNXcW3PuoWkgPdelbD65QhA9bJUl4lO5MW97 +Atu2K28hQD9VDhRKNFSk2liM9d9IjGeO3Eg0FnN/gDiFRHN0A5vrjqnmkUWqeJzh +561pomDuNxyGK1NkgZ+Cc75e+KJYwLX4sSzPiyMJhTt+ERLBb1ngcXpjcRn9Kjq+ +1QCsFbeuk1F034GnMEf5b1flu6vrmpWC3wnNQLRLuYommQ1O+uQtl9be2a+olCTd +jD8aAuECgYEA5SnJtLNPQPTj6LzIE9EGZzp78OOzJaHDNfungGAAnv8xV55ap8g1 +3KORa+QKwpCa2MgV9UKtsuql1OjfslYjFARaOp24Qh7z+GFfzsWX4V7C4zlYbGfj +Fe905/5sNeZnZwgiwKK0kQpZ/dyS1RI1koXphVBAb+sLh9gRdm3Qw/sCgYEA2Q+B +Rv6WpymV09Vp7c3yHDWmVwLJCoFZoWgSuu6XPUF1MuH3omYN211M3lA526OiH1ce +wqY1jtA5vSe0w7ZVMhBYkNG6GI/aKBdMzpCoBtWYW/QZ+fl6F36DkEKPBPloPxLP +0hR9xCsBvU/6VlSlBPGNFmsX5eNNMeHY68WdhLMCgYBlNynByBjPJdqr5wWvyvi7 +C1fGs6tiiaoA49+9kal0kF4oxuZfiMxRYWVPc+9UtC3QZb9dDlBN39nSyfBTgjwI +EUwQ66yAd89l+wwn9Zn5jrMhTSjC6Leh7puCBBujStqM5UkEMFj0XtAUkiHAPkSv +LLpRiXqMdBIps8MyvZohlQKBgEPB7U8mJg0klBq+YgTT5yIbNUOwIOXgnwQdossr +s5Zxmo45r73IMccqhtZXINiJahByd623iLx+D6gWfv0hK9Mm+x6p+Xe1YBpnu5g3 +29vWTWtW9czsrcoruhIMVOzuljYqPymLL/9OlYptLu5IGgNDDBHVeG5Q2EYcBEUF +OTi1AoGBAND42O8VS8tGsoR7QLeEwxjT8hCvSXYoTWcCVzbKjsPdGBkX2LiKwEr1 +B5pOfvNfFEgSmRm4LU5R/pG7seFQzlaAZCAavv2NUfC9F+5hwx95VHKXjZF+yE4m +J6e8kb0p2zcyCZCC/61kztGk7FqH9sb/6E+6CDMP+1QYxytrkYYR +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial new file mode 100644 index 000000000..75016ea36 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/serial @@ -0,0 +1 @@ +03 diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old new file mode 100644 index 000000000..9e22bcb8e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old @@ -0,0 +1 @@ +02 diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial new file mode 100644 index 000000000..f599e28b8 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -0,0 +1 @@ +10 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old new file mode 100644 index 000000000..0ced2f35e --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -0,0 +1 @@ +0F diff --git a/testing/hosts/winnetou/etc/openssl/start-ocsp b/testing/hosts/winnetou/etc/openssl/start-ocsp new file mode 100755 index 000000000..bdc5dab38 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/start-ocsp @@ -0,0 +1,20 @@ +#! /bin/sh +# start an OpenSSL-based OCSP server +# +# Copyright (C) 2004 Andreas Steffen +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: start-ocsp,v 1.3 2005/01/01 18:12:14 as Exp $ + +cd /etc/openssl +openssl ocsp -index index.txt -CA strongswanCert.pem -port 8880 -rkey ocspKey.pem -rsigner ocspCert.pem -nmin 5 < /dev/null > /dev/null 2>&1 & diff --git a/testing/hosts/winnetou/etc/openssl/strongswanCert.der b/testing/hosts/winnetou/etc/openssl/strongswanCert.der Binary files differnew file mode 100644 index 000000000..c11cf21da --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/strongswanCert.der diff --git a/testing/hosts/winnetou/etc/openssl/strongswanCert.pem b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem new file mode 100644 index 000000000..0de3b268d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/strongswanCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDtTCCAp2gAwIBAgIBADANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMDE0NVoXDTE0MDkwODExMDE0NVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9u +Z1N3YW4gUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL/y +X2LqPVZuWLPIeknK86xhz6ljd3NNhC2z+P1uoCP3sBMuZiZQEjFzhnKcbXxCeo2f +FnvhOOjrrisSuVkzuu82oxXD3fIkzuS7m9V4E10EZzgmKWIf+WuNRfbgAuUINmLc +4YGAXBQLPyzpP4Ou48hhz/YQo58Bics6PHy5v34qCVROIXDvqhj91P8g+pS+F21/ +7P+CH2jRcVIEHZtG8M/PweTPQ95dPzpYd2Ov6SZ/U7EWmbMmT8VcUYn1aChxFmy5 +gweVBWlkH6MP+1DeE0/tL5c87xo5KCeGK8Tdqpe7sBRC4pPEEHDQciTUvkeuJ1Pr +K+1LwdqRxo7HgMRiDw8CAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/MAsGA1Ud +DwQEAwIBBjAdBgNVHQ4EFgQUXafdcAZRMn7ntm2zteXgYOouTe8wbQYDVR0jBGYw +ZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYD +VQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3Qg +Q0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAJrXTj5gWS37myHHhii9drYwkMFyDHS/ +lHU8rW/drcnHdus507+qUhNr9SiEAHg4Ywj895UDvT0a1sFaw44QyEa/94iKA8/n ++g5kS1IrKvWu3wu8UI3EgzChgHV3cncQlQWbK+FI9Y3Ax1O1np1r+wLptoWpKKKE +UxsYcxP9K4Nbyeon0AIHOajUheiL3t6aRc3m0o7VU7Do6S2r+He+1Zq/nRUfFeTy +0Atebkn8tmUpPSKWaXkmwpVNrjZ1Qu9umAU+dtJyhzL2zmnyhPC4VqpsKCOp7imy +gKZvUIKPm1zyf4T+yjwxwkiX2xVseoM3aKswb1EoZFelHwndU7u0GQ8= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/strongswanKey.pem b/testing/hosts/winnetou/etc/openssl/strongswanKey.pem new file mode 100644 index 000000000..24de3a820 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/strongswanKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAv/JfYuo9Vm5Ys8h6ScrzrGHPqWN3c02ELbP4/W6gI/ewEy5m +JlASMXOGcpxtfEJ6jZ8We+E46OuuKxK5WTO67zajFcPd8iTO5Lub1XgTXQRnOCYp +Yh/5a41F9uAC5Qg2YtzhgYBcFAs/LOk/g67jyGHP9hCjnwGJyzo8fLm/fioJVE4h +cO+qGP3U/yD6lL4XbX/s/4IfaNFxUgQdm0bwz8/B5M9D3l0/Olh3Y6/pJn9TsRaZ +syZPxVxRifVoKHEWbLmDB5UFaWQfow/7UN4TT+0vlzzvGjkoJ4YrxN2ql7uwFELi +k8QQcNByJNS+R64nU+sr7UvB2pHGjseAxGIPDwIDAQABAoIBAFaigsMWjpDQRWD/ +/5IG9Gy9yQjfSC7Wse4e6ScaI1WYmfROYPSx90QyrGBWkmQfbUk2oONRCGq41WfD +j7zfSGRn+Lv+J9L/IhLDStbS14qITj5dmxga7mzI2udOvH+7cTC2GWJmGSlC2kTf +EjfRXCY5X6/kWrWN8C+2HU7+V5wNfMqFhhMnG3VTgPBRWeQ8oTgYdZ4jYolOt9/t +DhXtw/eEvfDb1Rg8BYB4wgm5PbOshh4L6nFEnemHDZltx1H5ZtAKTrds2ZYdGIM/ +3V1b7/a+aKltoA2ctsp/U6aTDHdql4VPop01MHZHZZ0bAAw9a2QirBvpjjwiDIgd +4K0EpYECgYEA6JHP9kV3KDMbU+H5rbAcp/I81MrpZ79Pvx2zO+p6Nrieqpgxgy1U +PjE2td3RAWiJflrz7p7Kez/Y01BWIzQXjZQ1oRTYYByVqW9O1SjyGb3TIgO4pXqb +0yr2y+yl8c6tD7RUYVrlNhBsln8vxZ1BVssM8iFuOXdIQTN3m8HY/HECgYEA00jc +Hd7isVsBpBRgFuAS5o+jNsAq50GA2uRo2r2/hWQSeeCgm+0553u7gd+kMrd3q37l +1xp1qYrEaMrZmBvpb0kDkIL+aT8trE6dYiNpAOvPoSd0SADH1uFMIK9YVxtRT1W6 +BklQ1epYDd+W8Or5kxMCtgSW/1IUYGaKxdz/g38CgYEAymGIvN/6Lws6LqaopRJp +/WP4t5vTvKpodQEdZXhH3bKOsBk8jNA3TN96ooxiQn17mG8BcpbP0KzgvBJewsej +71oXyRLgr9JwEj+ANFIrS2c6gZEHb0jgrMPoe9B1H5UgWFguTYHRkFh+hgArzCVq +JGMR4upghrVcNRDadrobXqECgYEAndKc6YsmFoj+TswRgsTaGXNN3YXqBlg9okRf +tpVqTH+V9Yg/MHoheLJKPBcMFf5J28asdOME5SIM2KI9q4ud8Uy+5uGSnJdezIjk +svv0YYXD0IMiLu62V+Ju9TNFb7uuHu7QSAXX5hJot+Q+YbODvcLDkacYC5wKMIAo +ROhxzI0CgYAQlsrMUOJoVQ93pMBMxy4e2/m4vkchCvk9LIdnGlZt60ee6yDGasYq +Qya5/bwekHXc6XRv+98EtBJ8My6rh6FWZutM3vUUtibWcNFVe/Fj6es+Tvv2M/DT +fL6Ui9cY9l/CH0DyoDbOuI1ysF5+L7hxH6HoGERTazY6P8fHQgooaA== +-----END RSA PRIVATE KEY----- diff --git a/testing/hosts/winnetou/etc/runlevels/default/apache2 b/testing/hosts/winnetou/etc/runlevels/default/apache2 new file mode 100755 index 000000000..f54f3444a --- /dev/null +++ b/testing/hosts/winnetou/etc/runlevels/default/apache2 @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="${opts} reload" + +[ "x${SERVERROOT}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -d ${SERVERROOT}" +[ "x${CONFIGFILE}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -f ${CONFIGFILE}" +[ "x${STARTUPERRORLOG}" != "x" ] && APACHE2_OPTS="${APACHE2_OPTS} -E ${STARTUPERRORLOG}" +# set a default for PIDFILE/RESTARTSTYLE for those that FAILED to follow +# instructiosn and update the conf.d/apache2 file. +# (bug #38787) +[ -z "${PIDFILE}" ] && PIDFILE=/var/run/apache2.pid +[ -z "${RESTARTSTYLE}" ] && RESTARTSTYLE="graceful" + +checkconfig() { + local myconf="/etc/apache2/conf/apache2.conf" + if [ "x${CONFIGFILE}" != "x" ]; then + if [ ${CONFIGFILE:0:1} = "/" ]; then + myconf="${CONFIGFILE}" + else + myconf="${SERVERROOT:-/usr/lib/apache2}/${CONFIGFILE}" + fi + fi + if [ ! -r "${myconf}" ]; then + eerror "Unable to read configuration file: ${myconf}" + return 1 + fi + if [ -z "${PIDFILE}" ]; then + eerror "\$PIDFILE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + if [ -z "${RESTARTSTYLE}" ]; then + eerror "\$RESTARTSTYLE is not set!" + eerror "Did you etc-update /etc/conf.d/apache2?" + return 1 + fi + /usr/sbin/apache2 -t ${APACHE2_OPTS} 1>/dev/null 2>&1 + ret=$? + if [ $ret -ne 0 ]; then + eerror "Apache2 has detected a syntax error in your configuration files:" + /usr/sbin/apache2 -t ${APACHE2_OPTS} + fi + return $ret +} + +depend() { + need net + use mysql dns logger netmount postgres + after sshd +} + +start() { + checkconfig || return 1 + ebegin "Starting apache2" + [ -f /var/log/apache2/ssl_scache ] && rm /var/log/apache2/ssl_scache + [ -f /usr/lib/apache2/build/envvars ] && . /usr/lib/apache2/build/envvars + env -i PATH=$PATH /sbin/start-stop-daemon --quiet \ + --start --startas /usr/sbin/apache2 \ + --pidfile ${PIDFILE} -- -k start ${APACHE2_OPTS} + eend $? +} + +stop() { + ebegin "Stopping apache2" + /usr/sbin/apache2ctl stop >/dev/null + start-stop-daemon -o --quiet --stop --pidfile ${PIDFILE} + eend $? +} + +reload() { + # restarting apache2 is much easier than apache1. The server handles most of the work for us. + # see http://httpd.apache.org/docs-2.0/stopping.html for more details + ebegin "Restarting apache2" + /usr/sbin/apache2 ${APACHE2_OPTS} -k ${RESTARTSTYLE} + eend $? +} diff --git a/testing/hosts/winnetou/etc/runlevels/default/net.eth0 b/testing/hosts/winnetou/etc/runlevels/default/net.eth0 new file mode 100755 index 000000000..fa1200242 --- /dev/null +++ b/testing/hosts/winnetou/etc/runlevels/default/net.eth0 @@ -0,0 +1,314 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 + +#NB: Config is in /etc/conf.d/net + +if [[ -n $NET_DEBUG ]]; then + set -x + devnull=/dev/stderr +else + devnull=/dev/null +fi + +# For pcmcia users. note that pcmcia must be added to the same +# runlevel as the net.* script that needs it. +depend() { + use hotplug pcmcia +} + +checkconfig() { + if [[ -z "${ifconfig_IFACE}" ]]; then + eerror "Please make sure that /etc/conf.d/net has \$ifconfig_$IFACE set" + eerror "(or \$iface_$IFACE for old-style configuration)" + return 1 + fi + if [[ -n "${vlans_IFACE}" && ! -x /sbin/vconfig ]]; then + eerror "For VLAN (802.1q) support, emerge net-misc/vconfig" + return 1 + fi +} + +# Fix bug 50039 (init.d/net.eth0 localization) +# Some other commands in this script might need to be wrapped, but +# we'll get them one-by-one. Note that LC_ALL trumps LC_anything_else +# according to locale(7) +ifconfig() { + LC_ALL=C /sbin/ifconfig "$@" +} + +# setup_vars: setup variables based on $1 and content of /etc/conf.d/net +# The following variables are set, which should be declared local by +# the calling routine. +# status_IFACE (up or '') +# vlans_IFACE (space-separated list) +# ifconfig_IFACE (array of ifconfig lines, replaces iface_IFACE) +# dhcpcd_IFACE (command-line args for dhcpcd) +# routes_IFACE (array of route lines) +# inet6_IFACE (array of inet6 lines) +# ifconfig_fallback_IFACE (fallback ifconfig if dhcp fails) +setup_vars() { + local i iface="${1//\./_}" + + status_IFACE="$(ifconfig ${1} 2>${devnull} | gawk '$1 == "UP" {print "up"}')" + eval vlans_IFACE=\"\$\{iface_${iface}_vlans\}\" + eval ifconfig_IFACE=( \"\$\{ifconfig_$iface\[@\]\}\" ) + eval dhcpcd_IFACE=\"\$\{dhcpcd_$iface\}\" + eval routes_IFACE=( \"\$\{routes_$iface\[@\]\}\" ) + eval inet6_IFACE=( \"\$\{inet6_$iface\[@\]\}\" ) + eval ifconfig_fallback_IFACE=( \"\$\{ifconfig_fallback_$iface\[@\]\}\" ) + + # BACKWARD COMPATIBILITY: populate the ifconfig_IFACE array + # if iface_IFACE is set (fex. iface_eth0 instead of ifconfig_eth0) + eval local iface_IFACE=\"\$\{iface_$iface\}\" + if [[ -n ${iface_IFACE} && -z ${ifconfig_IFACE} ]]; then + # Make sure these get evaluated as arrays + local -a aliases broadcasts netmasks + + # Start with the primary interface + ifconfig_IFACE=( "${iface_IFACE}" ) + + # ..then add aliases + eval aliases=( \$\{alias_$iface\} ) + eval broadcasts=( \$\{broadcast_$iface\} ) + eval netmasks=( \$\{netmask_$iface\} ) + for ((i = 0; i < ${#aliases[@]}; i = i + 1)); do + ifconfig_IFACE[i+1]="${aliases[i]} ${broadcasts[i]:+broadcast ${broadcasts[i]}} ${netmasks[i]:+netmask ${netmasks[i]}}" + done + fi + + # BACKWARD COMPATIBILITY: check for space-separated inet6 addresses + if [[ ${#inet6_IFACE[@]} == 1 && ${inet6_IFACE} == *' '* ]]; then + inet6_IFACE=( ${inet6_IFACE} ) + fi +} + +iface_start() { + local IFACE=${1} i x retval + checkconfig || return 1 + + if [[ ${ifconfig_IFACE} != dhcp ]]; then + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Bringing ${IFACE} up (${i})" + else + ebegin "Bringing ${IFACE} up" + fi + # ifconfig does not always return failure .. + ifconfig ${IFACE} ${ifconfig_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + # Check that eth0 was not brought up by the kernel ... + if [[ ${status_IFACE} == up ]]; then + einfo "Keeping kernel configuration for ${IFACE}" + else + ebegin "Bringing ${IFACE} up via DHCP" + /sbin/dhcpcd ${dhcpcd_IFACE} ${IFACE} + retval=$? + eend $retval + if [[ $retval == 0 ]]; then + # DHCP succeeded, show address retrieved + i=$(ifconfig ${IFACE} | grep -m1 -o 'inet addr:[^ ]*' | + cut -d: -f2) + [[ -n ${i} ]] && einfo " ${IFACE} received address ${i}" + elif [[ -n "${ifconfig_fallback_IFACE}" ]]; then + # DHCP failed, try fallback. + # Show the address, but catch if this interface will be inet6 only + i=${ifconfig_fallback_IFACE%% *} + if [[ ${i} == *.*.*.* ]]; then + ebegin "Using fallback configuration (${i}) for ${IFACE}" + else + ebegin "Using fallback configuration for ${IFACE}" + fi + ifconfig ${IFACE} ${ifconfig_fallback_IFACE} >${devnull} && \ + ifconfig ${IFACE} up &>${devnull} + eend $? || return $? + else + return $retval + fi + fi + fi + + if [[ ${#ifconfig_IFACE[@]} -gt 1 ]]; then + einfo " Adding aliases" + for ((i = 1; i < ${#ifconfig_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE}:${i} (${ifconfig_IFACE[i]%% *})" + ifconfig ${IFACE}:${i} ${ifconfig_IFACE[i]} + eend $? + done + fi + + if [[ -n ${inet6_IFACE} ]]; then + einfo " Adding inet6 addresses" + for ((i = 0; i < ${#inet6_IFACE[@]}; i = i + 1)); do + ebegin " ${IFACE} inet6 add ${inet6_IFACE[i]}" + ifconfig ${IFACE} inet6 add ${inet6_IFACE[i]} >${devnull} + eend $? + done + fi + + # Set static routes + if [[ -n ${routes_IFACE} ]]; then + einfo " Adding routes" + for ((i = 0; i < ${#routes_IFACE[@]}; i = i + 1)); do + ebegin " ${routes_IFACE[i]}" + /sbin/route add ${routes_IFACE[i]} + eend $? + done + fi + + # Set default route if applicable to this interface + if [[ ${gateway} == ${IFACE}/* ]]; then + local ogw=$(/bin/netstat -rn | awk '$1 == "0.0.0.0" {print $2}') + local gw=${gateway#*/} + if [[ ${ogw} != ${gw} ]]; then + ebegin " Setting default gateway ($gw)" + + # First delete any existing route if it was setup by kernel... + /sbin/route del default dev ${IFACE} &>${devnull} + + # Second delete old gateway if it was set... + /sbin/route del default gw ${ogw} &>${devnull} + + # Third add our new default gateway + /sbin/route add default gw ${gw} >${devnull} + eend $? || { + true # need to have some command in here + # Note: This originally called stop, which is obviously + # wrong since it's calling with a local version of IFACE. + # The below code works correctly to abort configuration of + # the interface, but is commented because we're assuming + # that default route failure should not cause the interface + # to be unconfigured. + #local error=$? + #ewarn "Aborting configuration of ${IFACE}" + #iface_stop ${IFACE} + #return ${error} + } + fi + fi + + # Enabling rp_filter causes wacky packets to be auto-dropped by + # the kernel. Note that we only do this if it is not set via + # /etc/sysctl.conf ... + if [[ -e /proc/sys/net/ipv4/conf/${IFACE}/rp_filter && \ + -z "$(grep -s '^[^#]*rp_filter' /etc/sysctl.conf)" ]]; then + echo -n 1 > /proc/sys/net/ipv4/conf/${IFACE}/rp_filter + fi +} + +# iface_stop: bring down an interface. Don't trust information in +# /etc/conf.d/net since the configuration might have changed since +# iface_start ran. Instead query for current configuration and bring +# down the interface. +iface_stop() { + local IFACE=${1} i x aliases inet6 count + + # Try to do a simple down (no aliases, no inet6, no dhcp) + aliases="$(ifconfig | grep -o "^$IFACE:[0-9]*" | tac)" + inet6="$(ifconfig ${IFACE} | awk '$1 == "inet6" {print $2}')" + if [[ -z ${aliases} && -z ${inet6} && ! -e /var/run/dhcpcd-${IFACE}.pid ]]; then + ebegin "Bringing ${IFACE} down" + ifconfig ${IFACE} down &>/dev/null + eend 0 + return 0 + fi + + einfo "Bringing ${IFACE} down" + + # Stop aliases before primary interface. + # Note this must be done in reverse order, since ifconfig eth0:1 + # will remove eth0:2, etc. It might be sufficient to simply remove + # the base interface but we're being safe here. + for i in ${aliases} ${IFACE}; do + + # Delete all the inet6 addresses for this interface + inet6="$(ifconfig ${i} | awk '$1 == "inet6" {print $3}')" + if [[ -n ${inet6} ]]; then + einfo " Removing inet6 addresses" + for x in ${inet6}; do + ebegin " ${IFACE} inet6 del ${x}" + ifconfig ${i} inet6 del ${x} + eend $? + done + fi + + # Stop DHCP (should be N/A for aliases) + # Don't trust current configuration... investigate ourselves + if /sbin/dhcpcd -z ${i} &>${devnull}; then + ebegin " Releasing DHCP lease for ${IFACE}" + for ((count = 0; count < 9; count = count + 1)); do + /sbin/dhcpcd -z ${i} &>${devnull} || break + sleep 1 + done + [[ ${count} -lt 9 ]] + eend $? "Timed out" + fi + ebegin " Stopping ${i}" + ifconfig ${i} down &>${devnull} + eend 0 + done + + return 0 +} + +start() { + # These variables are set by setup_vars + local status_IFACE vlans_IFACE dhcpcd_IFACE + local -a ifconfig_IFACE routes_IFACE inet6_IFACE + + # Call user-defined preup function if it exists + if [[ $(type -t preup) == function ]]; then + einfo "Running preup function" + preup ${IFACE} || { + eerror "preup ${IFACE} failed" + return 1 + } + fi + + # Start the primary interface and aliases + setup_vars ${IFACE} + iface_start ${IFACE} || return 1 + + # Start vlans + local vlan + for vlan in ${vlans_IFACE}; do + /sbin/vconfig add ${IFACE} ${vlan} >${devnull} + setup_vars ${IFACE}.${vlan} + iface_start ${IFACE}.${vlan} + done + + # Call user-defined postup function if it exists + if [[ $(type -t postup) == function ]]; then + einfo "Running postup function" + postup ${IFACE} + fi +} + +stop() { + # Call user-defined predown function if it exists + if [[ $(type -t predown) == function ]]; then + einfo "Running predown function" + predown ${IFACE} + fi + + # Don't depend on setup_vars since configuration might have changed. + # Investigate current configuration instead. + local vlan + for vlan in $(ifconfig | grep -o "^${IFACE}\.[^ ]*"); do + iface_stop ${vlan} + /sbin/vconfig rem ${vlan} >${devnull} + done + + iface_stop ${IFACE} || return 1 # always succeeds, btw + + # Call user-defined postdown function if it exists + if [[ $(type -t postdown) == function ]]; then + einfo "Running postdown function" + postdown ${IFACE} + fi +} + +# vim:ts=4 diff --git a/testing/images/a-m-c-w-d.png b/testing/images/a-m-c-w-d.png Binary files differnew file mode 100755 index 000000000..f0d758021 --- /dev/null +++ b/testing/images/a-m-c-w-d.png diff --git a/testing/images/a-m-c-w.png b/testing/images/a-m-c-w.png Binary files differnew file mode 100755 index 000000000..0e8ec3a74 --- /dev/null +++ b/testing/images/a-m-c-w.png diff --git a/testing/images/a-m-c.png b/testing/images/a-m-c.png Binary files differnew file mode 100644 index 000000000..538929225 --- /dev/null +++ b/testing/images/a-m-c.png diff --git a/testing/images/a-m-w-s-b.png b/testing/images/a-m-w-s-b.png Binary files differnew file mode 100755 index 000000000..e31fe5e9b --- /dev/null +++ b/testing/images/a-m-w-s-b.png diff --git a/testing/images/a-v-m-c-w-d.png b/testing/images/a-v-m-c-w-d.png Binary files differnew file mode 100755 index 000000000..1096af264 --- /dev/null +++ b/testing/images/a-v-m-c-w-d.png diff --git a/testing/images/a-v-m-w-s-b.png b/testing/images/a-v-m-w-s-b.png Binary files differnew file mode 100755 index 000000000..53eafba3b --- /dev/null +++ b/testing/images/a-v-m-w-s-b.png diff --git a/testing/images/m-c-w.png b/testing/images/m-c-w.png Binary files differnew file mode 100755 index 000000000..066a8f8c6 --- /dev/null +++ b/testing/images/m-c-w.png diff --git a/testing/images/m-w-s.png b/testing/images/m-w-s.png Binary files differnew file mode 100755 index 000000000..5f1aee2aa --- /dev/null +++ b/testing/images/m-w-s.png diff --git a/testing/images/umlArchitecture_large.png b/testing/images/umlArchitecture_large.png Binary files differnew file mode 100644 index 000000000..4588603e6 --- /dev/null +++ b/testing/images/umlArchitecture_large.png diff --git a/testing/images/umlArchitecture_small.png b/testing/images/umlArchitecture_small.png Binary files differnew file mode 100644 index 000000000..2328f7554 --- /dev/null +++ b/testing/images/umlArchitecture_small.png diff --git a/testing/make-testing b/testing/make-testing new file mode 100755 index 000000000..cf77a86d9 --- /dev/null +++ b/testing/make-testing @@ -0,0 +1,89 @@ +#!/bin/bash +# Create the strongSwan UML testing environment +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: make-testing,v 1.4 2005/02/14 15:27:42 as Exp $ + +DIR=`dirname $0` + +source $DIR/scripts/function.sh + +[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found." + +source $DIR/testing.conf + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +########################################################################## +# build the UML kernel based on a vanilla kernel form kernel.org +# and a matching UML patch from user-mode-linux.sourceforge.net +# +if [ $ENABLE_BUILD_UMLKERNEL = "yes" ] +then + cecho "Building uml kernel (scripts/build-umlkernel)" + $DIR/scripts/build-umlkernel +fi + +########################################################################## +# Adding the ssh RSA public keys to ~/.ssh/known_hosts +# +if [ $ENABLE_BUILD_SSHKEYS = "yes" ] +then + cecho "Adding ssh public keys of the uml instances (scripts/build-sshkeys)" + $DIR/scripts/build-sshkeys +fi + +########################################################################## +# copy the default UML host configurations to $BUILDDIR +# and assign actual IP addresses to the UML hosts +# +if [ $ENABLE_BUILD_HOSTCONFIG = "yes" ] +then + cecho "Building host configurations (scripts/build-hostconfig)" + $DIR/scripts/build-hostconfig +fi + +########################################################################## +# build a generic UML root file system based on a Gentoo root file system. +# compile and install a specified strongSwan release into the file system. +# +if [ $ENABLE_BUILD_UMLROOTFS = "yes" ] +then + cecho "Building uml root file system with strongSwan (scripts/build-umlrootfs)" + $DIR/scripts/build-umlrootfs +fi + +########################################################################## +# Creating the root filesystems for the specified UML instances +# +if [ $ENABLE_BUILD_UMLHOSTFS = "yes" ] +then + cecho "Building uml host root file systems (scripts/build-umlhostfs)" + $DIR/scripts/build-umlhostfs $HOSTS +fi + +########################################################################## +# Start up the UML switches and designated UML instances +# +if [ $ENABLE_START_TESTING = "yes" ] +then + cecho "Starting the uml switches and instances (start-testing)" + $DIR/start-testing $HOSTS +fi diff --git a/testing/scripts/build-hostconfig b/testing/scripts/build-hostconfig new file mode 100755 index 000000000..0df8861c8 --- /dev/null +++ b/testing/scripts/build-hostconfig @@ -0,0 +1,103 @@ +#!/bin/bash +# build the hosts configuration directory with the actual IP addresses +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: build-hostconfig,v 1.3 2005/02/08 10:40:48 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found" +[ -d $DIR/../hosts ] || die "!! Directory 'hosts' not found" + +source $DIR/../testing.conf + +if [ ! -d $BUILDDIR ] +then + cecho " * Creating directory '$BUILDDIR'" + mkdir $BUILDDIR +fi + +######################################## +# copy default host configs to $BUILDDIR +# + +HOSTCONFIGDIR=${BUILDDIR}/hosts + +if [ -d $HOSTCONFIGDIR ] +then + rm -r $HOSTCONFIGDIR +fi + +mkdir $HOSTCONFIGDIR +cp -rfp ${UMLTESTDIR}/testing/hosts $BUILDDIR + +cecho " * Copied default host config directory to '$HOSTCONFIGDIR'" + +######################################## +# assign IP for each host to hostname +# + +cecho-n " * Generate default config for.." + +HOSTIP=`ifconfig eth0 |grep inet |sed -e "s/.*inet addr://" -e "s/ Bcast.*//"` + +for host in $STRONGSWANHOSTS +do + cecho-n "${host}.." + eval ip_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`" + + [ "`eval echo \\\$ip_${host}`" != "$HOSTIP" ] || die "$host has the same IP as eth0 (Host)! Please change that." + + case $host in + moon) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + [ "`eval echo \\\$ip1_${host}`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that." + searchandreplace PH_IP_MOON $ip_moon $HOSTCONFIGDIR + searchandreplace PH_IP1_MOON $ip1_moon $HOSTCONFIGDIR + ;; + sun) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + [ "`eval echo \\\$ip1_${host}`" != "$HOSTIP" ] || die "eth1 of $host has the same IP as eth0 (Host)! Please change that." + searchandreplace PH_IP_SUN $ip_sun $HOSTCONFIGDIR + searchandreplace PH_IP1_SUN $ip1_sun $HOSTCONFIGDIR + ;; + alice) + searchandreplace PH_IP_ALICE $ip_alice $HOSTCONFIGDIR + ;; + venus) + searchandreplace PH_IP_VENUS $ip_venus $HOSTCONFIGDIR + ;; + bob) + searchandreplace PH_IP_BOB $ip_bob $HOSTCONFIGDIR + ;; + carol) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + searchandreplace PH_IP_CAROL $ip_carol $HOSTCONFIGDIR + searchandreplace PH_IP1_CAROL $ip1_carol $HOSTCONFIGDIR + ;; + dave) + eval ip1_${host}="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $2 }' | awk '{ print $1 }'`" + searchandreplace PH_IP_DAVE $ip_dave $HOSTCONFIGDIR + searchandreplace PH_IP1_DAVE $ip1_dave $HOSTCONFIGDIR + ;; + winnetou) + searchandreplace PH_IP_WINNETOU $ip_winnetou $HOSTCONFIGDIR + ;; + esac +done + +cecho "done" diff --git a/testing/scripts/build-sshkeys b/testing/scripts/build-sshkeys new file mode 100755 index 000000000..f4d584d6b --- /dev/null +++ b/testing/scripts/build-sshkeys @@ -0,0 +1,88 @@ +#!/bin/bash +# build the hosts configuration directory with the actual IP addresses +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: build-sshkeys,v 1.2 2005/02/15 14:12:16 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found" +[ -d $DIR/../hosts ] || die "!! Directory 'hosts' not found" + +source $DIR/../testing.conf + +if [ ! -d $BUILDDIR ] +then + cecho " * Creating directory '$BUILDDIR'" + mkdir $BUILDDIR +fi + +LOGFILE=${BUILDDIR}/testing.log + +if [ ! -f $LOGFILE ] +then + cecho-n " * Logfile '$LOGFILE' does not exist..creating.." + touch $LOGFILE + cecho "done" +fi + +if [ ! -d ~/.ssh ] +then + cecho-n " * Creating directory '~/.ssh'.." + mkdir ~/.ssh + cecho "done" +fi + +if [ -f ~/.ssh/known_hosts ] +then + cecho-n " * Backing up ~/.ssh/known_hosts to '~/.ssh/known_hosts.before_uml'.." + cp -fp ~/.ssh/known_hosts ~/.ssh/known_hosts.before_uml + cecho "done" +else + cecho-n " * Creating '~/.ssh/known_hosts'" + touch ~/.ssh/known_hosts + cecho "done" +fi + +for host in $HOSTNAMEIPS +do + HOSTNAME=`echo $host | awk -F : '{ print $1 }'` + IP=`echo $host | awk -F : '{ print $2 }'` + if [ `grep "$IP " ~/.ssh/known_hosts | wc -l` != "0" ] + then + cecho "!! Warning: An entry exists for the following IP address: $IP" + else + cecho-n " * Adding uml host $HOSTNAME ($IP) to '~/.ssh/known_hosts'.." + echo "$HOSTNAME,$IP `cat $DIR/../hosts/ssh_host_rsa_key.pub`" >> ~/.ssh/known_hosts + cecho "done" + fi +done + +##################################### +# preparing ssh for PK authentication +# + +cecho-n " * Checking for ssh rsa key '~/.ssh/id_rsa.pub'.." +if [ -f ~/.ssh/id_rsa.pub ] +then + cecho "already exists" +else + cecho "not found" + cecho-n " * Generating ssh rsa key pair.." + echo "" | ssh-keygen -N "" -t rsa -f ~/.ssh/id_rsa >> $LOGFILE 2>&1 + cecho "done" +fi diff --git a/testing/scripts/build-umlhostfs b/testing/scripts/build-umlhostfs new file mode 100755 index 000000000..e77bfc025 --- /dev/null +++ b/testing/scripts/build-umlhostfs @@ -0,0 +1,78 @@ +#!/bin/bash +# create UML host file systems +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: build-umlhostfs,v 1.3 2006/03/30 21:20:27 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found." + +source $DIR/../testing.conf + +cd $BUILDDIR/root-fs + +[ -f gentoo-fs ] || die "!! Root file system 'gentoo-fs' not found." + +if [ ! -d $BUILDDIR ] +then + cecho-n " * Directory '$BUILDDIR' does not exist..creating.." + mkdir $BUILDDIR + cecho "done" +fi + +LOGFILE=${BUILDDIR}/testing.log + +if [ ! -f $LOGFILE ] +then + cecho-n " * Logfile '$LOGFILE' does not exist..creating.." + touch $LOGFILE + cecho "done" +fi + +LOOPDIR=loop + +if [ ! -d $LOOPDIR ] +then + mkdir $LOOPDIR +fi + +cecho-n " * Creating root filesystem for.." + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +for host in $HOSTS +do + cecho-n "$host.." + cp gentoo-fs gentoo-fs-$host + mount -o loop gentoo-fs-$host $LOOPDIR + cp -rfp $BUILDDIR/hosts/${host}/etc $LOOPDIR + if [ "$host" = "winnetou" ] + then + cp -rfp $UMLTESTDIR/testing/images $LOOPDIR/var/www/localhost/htdocs + chroot $LOOPDIR /etc/openssl/generate-crl >> $LOGFILE 2>&1 + fi + chroot $LOOPDIR /etc/init.d/depscan.sh --update >> $LOGFILE 2>&1 + umount $LOOPDIR +done + +cecho "done" diff --git a/testing/scripts/build-umlkernel b/testing/scripts/build-umlkernel new file mode 100755 index 000000000..074d7847a --- /dev/null +++ b/testing/scripts/build-umlkernel @@ -0,0 +1,134 @@ +#!/bin/bash +# build an UML kernel based on a vanilla kernel and UML patch +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: build-umlkernel,v 1.2 2005/01/09 21:54:25 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +cecho-n " * Looking for kernel at '$KERNEL'.." +if [ -f "${KERNEL}" ] +then + cecho "found it" + KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` + cecho " * Kernel version is $KERNELVERSION" +else + cecho "none" + exit +fi + +if [ ${UMLPATCH} ] +then + cecho-n " * Looking for uml patch at '$UMLPATCH'.." + if [ -f "${UMLPATCH}" ] + then + cecho "found it" + else + cecho "none" + exit + fi +fi + +cecho-n " * Looking for kernel config at '$KERNELCONFIG'.." +if [ -f "${KERNEL}" ] +then + cecho "found it" +else + cecho "none" + exit +fi + +####################################################### +# unpack kernel and create symlink +# + +if [ ! -d $BUILDDIR ] +then + cecho " * Creating directory '$BUILDDIR'" + mkdir $BUILDDIR +fi + +cecho " * Changing to directory '$BUILDDIR'" +cd $BUILDDIR + +LOGFILE=${BUILDDIR}/testing.log + +if [ ! -f $LOGFILE ] +then + cecho-n " * Logfile '$LOGFILE' does not exist..creating.." + touch $LOGFILE + cecho "done" +fi + +cecho-n " * Unpacking kernel.." +tar xjf $KERNEL >> $LOGFILE 2>&1 +cecho "done" + +KERNELDIR=${BUILDDIR}/linux-${KERNELVERSION} + +if [ -d $KERNELDIR ] +then + cecho " * Kernel directory is '$KERNELDIR'" + cecho " * Creating symlink 'linux'" + if [ -d linux ] + then + rm linux + fi + ln -s linux-${KERNELVERSION} linux +else + cecho "!! Kernel directory '$KERNELDIR' can not be found" + exit +fi + +####################################################### +# patch kernel +# + +cecho " * Changing to directory '$KERNELDIR'" +cd $KERNELDIR + +if [ $UMLPATCH ] +then + cecho-n " * Applying uml patch.." + bzcat $UMLPATCH | patch -p1 >> $LOGFILE 2>&1 + cecho "done" +fi + +####################################################### +# copy our default .config to linux and build kernel +# + +cp $KERNELCONFIG .config + +cecho "!!" +cecho "!! Making .config for kernel. You might be prompted for new parameters!" +cecho "!!" +make oldconfig ARCH=um >> $LOGFILE 2>&1 + +cecho-n " * Now compiling uml kernel.." +make linux ARCH=um >> $LOGFILE 2>&1 +cecho "done" + +cecho-n " * Copying uml kernel to '${BUILDDIR}/linux-uml-${KERNELVERSION}'.." +mv linux ${BUILDDIR}/linux-uml-${KERNELVERSION} +cecho "done" + + diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs new file mode 100755 index 000000000..ba103838f --- /dev/null +++ b/testing/scripts/build-umlrootfs @@ -0,0 +1,174 @@ +#!/bin/bash +# Create UML root filesystem +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: build-umlrootfs,v 1.11 2006/01/08 22:29:56 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "!! Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +STRONGSWANVERSION=`basename $STRONGSWAN .tar.bz2` + +cecho-n " * Looking for strongSwan at '$STRONGSWAN'.." +if [ -f "$STRONGSWAN" ] +then + cecho "found it" + cecho " * strongSwan version is '$STRONGSWANVERSION'" +else + cecho "none" + exit +fi + +cecho-n " * Looking for gentoo root filesystem at '$ROOTFS'.." +if [ -f "$ROOTFS" ] +then + cecho "found it" +else + cecho "none" + exit +fi + +[ -d $BUILDDIR ] || die "!! Directory '$BUILDDIR' does not exist" + +HOSTCONFIGDIR=$BUILDDIR/hosts + +[ -d $HOSTCONFIGDIR ] || die "!! Directory '$HOSTCONFIGDIR' does not exist" + +LOGFILE=$BUILDDIR/testing.log + +if [ ! -f $LOGFILE ] +then + cecho-n " * Logfile '$LOGFILE' does not exist..creating.." + touch $LOGFILE + cecho "done" +fi + +ROOTFSDIR=$BUILDDIR/root-fs + +if [ ! -d $ROOTFSDIR ] +then + cecho-n " * Root file system directory '$ROOTFSDIR' does not exist..creating.." + mkdir $ROOTFSDIR + cecho "done" +fi + +cd $ROOTFSDIR + +LOOPDIR=$ROOTFSDIR/loop + +if [ ! -d $LOOPDIR ] +then + mkdir $LOOPDIR +fi + +###################################################### +# creating reiser-based uml root filesystem +# + +cecho-n " * Building basic root filesystem (gentoo).." +dd if=/dev/zero of=gentoo-fs count=$ROOTFSSIZE bs=1M >> $LOGFILE 2>&1 +mkreiserfs -q -f gentoo-fs >> $LOGFILE 2>&1 +mount -o loop gentoo-fs $LOOPDIR >> $LOGFILE 2>&1 +tar xjpf $ROOTFS -C $LOOPDIR >> $LOGFILE 2>&1 +cecho "done" + + +###################################################### +# copying default /etc/hosts to the root filesystem +# +cecho " * Copying '$HOSTCONFIGDIR/default/etc/hosts' to the root filesystem" +cp -fp $HOSTCONFIGDIR/default/etc/hosts $LOOPDIR/etc/hosts + +# +##################################################### +# extracting strongSwan into the root filesystem +# + +cecho " * Extracting strongSwan into the root filesystem" +tar xjf $STRONGSWAN -C $LOOPDIR/root >> $LOGFILE 2>&1 + + +###################################################### +# installing strongSwan and setting the local timezone +# + +INSTALLSHELL=${LOOPDIR}/install.sh + +cecho " * Preparing strongSwan installation script" +echo "ln -sf /usr/share/zoneinfo/${TZUML} /etc/localtime" >> $INSTALLSHELL + +if [ "$USE_LIBCURL" = "yes" ] +then + echo "export USE_LIBCURL=true" >> $INSTALLSHELL +fi + +if [ "$USE_LDAP" = "yes" ] +then + echo "export USE_LDAP=true" >> $INSTALLSHELL +fi + +echo "export USERCOMPILE=\'-DRANDOM_DEVICE=\\\"/dev/urandom\\\"\'" >> $INSTALLSHELL +echo "cd /root/${STRONGSWANVERSION}" >> $INSTALLSHELL +echo "make programs" >> $INSTALLSHELL +echo "make install" >> $INSTALLSHELL + +cecho-n " * Compiling $STRONGSWANVERSION within the root file system as chroot.." +chroot $LOOPDIR /bin/bash /install.sh >> $LOGFILE 2>&1 +cecho "done" + +rm -f $INSTALLSHELL + + +###################################################### +# copying the host's ssh public key +# + +if [ ! -d $LOOPDIR/root/.ssh ] +then + mkdir $LOOPDIR/root/.ssh +fi +cp ~/.ssh/id_rsa.pub $LOOPDIR/root/.ssh/authorized_keys + +###################################################### +# setup public key based login among all hosts +# +cp $LOOPDIR/etc/ssh/ssh_host_rsa_key $LOOPDIR/root/.ssh/id_rsa + +for host in $STRONGSWANHOSTS +do + eval ip="`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`" + echo "$host,$ip `cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub`" >> $LOOPDIR/root/.ssh/known_hosts + echo "`cat $HOSTCONFIGDIR/ssh_host_rsa_key.pub` root@$host" >> $LOOPDIR/root/.ssh/authorized_keys +done + +###################################################### +# defining an empty modules.dep +# + +if [ $UMLPATCH ] +then + mkdir $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um + touch $LOOPDIR/lib/modules/`basename $UMLPATCH .bz2 | sed s/uml-patch-//`um/modules.dep +else + mkdir $LOOPDIR/lib/modules/$KERNELVERSION + touch $LOOPDIR/lib/modules/$KERNELVERSION/modules.dep +fi + +umount $LOOPDIR diff --git a/testing/scripts/function.sh b/testing/scripts/function.sh new file mode 100755 index 000000000..22a79698d --- /dev/null +++ b/testing/scripts/function.sh @@ -0,0 +1,82 @@ +#!/bin/bash +# provides some general-purpose script functions +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: function.sh,v 1.3 2005/02/16 22:20:52 as Exp $ + + +############################################ +# print output in color +# + +function cecho { + echo -e "\033\13301;31m$1\033\1330m" +} + +function cecho-n { + echo -en "\033\13301;31m$1\033\1330m" +} + + +############################################# +# output all args to stderr and exit with +# return code 1 +# + +die() { + echo $* 1>&2 + exit 1 +} + +############################################# +# search and replace strings throughout a +# whole directory +# + +function searchandreplace { + + SEARCHSTRING="$1" + REPLACESTRING="$2" + DESTDIR="$3" + + [ -d "$DESTDIR" ] || die "$DESTDIR is not a directory!" + + + ######################### + # create a temporary file + # + + TMPFILE="/tmp/sr.$$" + + + ########################################### + # search and replace in each found file the + # given string + # + + for eachfoundfile in `find $DESTDIR -type f` + do + sed -e "s/$SEARCHSTRING/$REPLACESTRING/g" "$eachfoundfile" > "$TMPFILE" + cp -f "$TMPFILE" "$eachfoundfile" + done + + + ########################### + # delete the temporary file + # + + rm -f "$TMPFILE" + +} diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls new file mode 100755 index 000000000..a533fb728 --- /dev/null +++ b/testing/scripts/kstart-umls @@ -0,0 +1,113 @@ +#!/bin/bash +# starts the UML instances in a konsole (requires KDE) +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: kstart-umls,v 1.6 2005/08/30 22:13:12 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +BOOTING_HOSTS="" +count_max=12 +count=0 + +for host in $HOSTS +do + up=0 + + if [ -d ~/.uml/${host} ] + then + pid=`cat ~/.uml/${host}/pid` + up=`ps up $pid | wc -l` + fi + + if [ $up -eq 2 ] + then + cecho " * Great, ${host} is already running!" + else + rm -rf ~/.uml/${host} + BOOTING_HOSTS="$BOOTING_HOSTS ${host}" + let "count_max += 12" + + UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host} + [ -f $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found" + + cecho-n " * Starting ${host}.." + eval konsole -title ${host} -e "$UMLKERNEL \ + umid=${host} \ + ubda=$UMLHOSTFS \ + \$SWITCH_${host} \ + mem=${MEM}M con=pty con0=fd:0,fd:1" & + cecho "done" + fi +done + +if [ -z "$BOOTING_HOSTS" ] +then + exit 0 +fi + +cecho " * Waiting for the uml instances to finish booting" + +for host in $BOOTING_HOSTS +do + cecho-n " * Checking on $host.." + + while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ] + do + cecho-n "." + sleep 5 + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + fi + + pid=`cat ~/.uml/$host/pid` + up=`ps up $pid | grep agetty | wc -l` + + while [ $count -lt $count_max ] && [ $up -eq 0 ] + do + cecho-n "." + sleep 5 + up=`ps up $pid | grep agetty | wc -l` + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + else + cecho "up" + fi +done + +cecho " * All uml instances are up now" diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig new file mode 100755 index 000000000..89da17e72 --- /dev/null +++ b/testing/scripts/load-testconfig @@ -0,0 +1,64 @@ +#!/bin/bash +# Load test specific host configurations +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: load-testconfig,v 1.2 2004/12/13 21:02:42 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +########################################################################## +# load-testconfig requires a testname as an argument +# + +testname=$1 + +TESTSDIR=$BUILDDIR/tests + +[ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found" +[ -d $TESTSDIR/$testname ] || die "Test '$testname' not found" +[ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing" + +source $TESTSDIR/$testname/test.conf + +########################################################################## +# copy test specific configurations to uml hosts +# + +if [ -d $TESTSDIR/$testname/hosts ] +then + for host in `ls $TESTSDIR/$testname/hosts` + do + eval HOSTLOGIN="root@`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`" + scp -rp $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1 + done +fi + + +########################################################################## +# clear the auth.log where IKE messages are logged +# + +for host in $IPSECHOSTS +do + eval HOSTLOGIN="root@`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`" + ssh $HOSTLOGIN 'rm -f /var/log/auth.log; \ + kill -SIGHUP `cat /var/run/syslogd.pid`' > /dev/null 2>&1 +done diff --git a/testing/scripts/restore-defaults b/testing/scripts/restore-defaults new file mode 100755 index 000000000..129e46f56 --- /dev/null +++ b/testing/scripts/restore-defaults @@ -0,0 +1,53 @@ +#!/bin/bash +# Restore the default host configurations +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: restore-defaults,v 1.2 2004/12/20 07:56:33 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +########################################################################## +# load-testconfig requires a testname as an argument +# + +testname=$1 + +HOSTCONFIGDIR=$BUILDDIR/hosts +TESTSDIR=$BUILDDIR/tests + +[ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found" +[ -d $TESTSDIR/$testname ] || die "Test '$testname' not found" +[ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing" + +source $TESTSDIR/$testname/test.conf + +########################################################################## +# copy default host config back if necessary +# + +if [ -d $TESTSDIR/${testname}/hosts ] +then + for host in `ls $TESTSDIR/${testname}/hosts` + do + eval HOSTLOGIN="root@`echo $HOSTNAMEIPS | sed -n -e "s/^.*${host}://gp" | awk -F : '{ print $1 }' | awk '{ print $1 }'`" + scp -rp $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1 + done +fi diff --git a/testing/scripts/start-switches b/testing/scripts/start-switches new file mode 100755 index 000000000..c90c9f86d --- /dev/null +++ b/testing/scripts/start-switches @@ -0,0 +1,39 @@ +#!/bin/bash +# starts the UML switches +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: start-switches,v 1.2 2004/12/19 19:17:25 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +for n in 0 1 2 +do + if [ `ps aux | grep uml_switch | grep umlswitch$n | wc -l` -eq 1 ] + then + cecho " * Great, umlswitch$n is already running!" + else + cecho-n " * Starting umlswitch$n.." + uml_switch -tap tap$n -unix /tmp/umlswitch$n >/dev/null </dev/null & + sleep 2 + eval ifconfig "tap$n \$IFCONFIG_$n up" + cecho "done" + fi +done diff --git a/testing/scripts/start-umls b/testing/scripts/start-umls new file mode 100755 index 000000000..f51791dfa --- /dev/null +++ b/testing/scripts/start-umls @@ -0,0 +1,113 @@ +#!/bin/bash +# starts the UML instances with a hidden screen +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: start-umls,v 1.5 2005/08/30 22:13:12 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +BOOTING_HOSTS="" +count_max=12 +count=0 + +for host in $HOSTS +do + up=0 + + if [ -d ~/.uml/${host} ] + then + pid=`cat ~/.uml/${host}/pid` + up=`ps up $pid | wc -l` + fi + + if [ $up -eq 2 ] + then + cecho " * Great, ${host} is already running!" + else + rm -rf ~/.uml/${host} + BOOTING_HOSTS="$BOOTING_HOSTS ${host}" + let "count_max += 12" + + UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host} + [ -f $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found" + + cecho-n " * Starting ${host}.." + eval screen -dmS ${host} "$UMLKERNEL \ + umid=${host} \ + ubda=$UMLHOSTFS \ + \$SWITCH_${host} \ + mem=${MEM}M con=pty con0=fd:0,fd:1" + cecho "done" + fi +done + +if [ -z "$BOOTING_HOSTS" ] +then + exit 0 +fi + +cecho " * Waiting for the uml instances to finish booting" + +for host in $BOOTING_HOSTS +do + cecho-n " * Checking on $host.." + + while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ] + do + cecho-n "." + sleep 5 + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + fi + + pid=`cat ~/.uml/$host/pid` + up=`ps up $pid | grep agetty | wc -l` + + while [ $count -lt $count_max ] && [ $up -eq 0 ] + do + cecho-n "." + sleep 5 + up=`ps up $pid | grep agetty | wc -l` + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + else + cecho "up" + fi +done + +cecho " * All uml instances are up now" diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls new file mode 100755 index 000000000..13c5d10a1 --- /dev/null +++ b/testing/scripts/xstart-umls @@ -0,0 +1,113 @@ +#!/bin/bash +# starts the UML instances in an xterm (requires X11R6) +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: xstart-umls,v 1.6 2005/08/30 22:13:12 as Exp $ + +DIR=`dirname $0` + +source $DIR/function.sh + +[ -f $DIR/../testing.conf ] || die "Configuration file 'testing.conf' not found" + +source $DIR/../testing.conf + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +BOOTING_HOSTS="" +count_max=12 +count=0 + +for host in $HOSTS +do + up=0 + + if [ -d ~/.uml/${host} ] + then + pid=`cat ~/.uml/${host}/pid` + up=`ps up $pid | wc -l` + fi + + if [ $up -eq 2 ] + then + cecho " * Great, ${host} is already running!" + else + rm -rf ~/.uml/${host} + BOOTING_HOSTS="$BOOTING_HOSTS ${host}" + let "count_max += 12" + + UMLHOSTFS=$BUILDDIR/root-fs/gentoo-fs-${host} + [ -f $UMLHOSTFS ] || die "!! uml root file system '$UMLHOSTFS' not found" + + cecho-n " * Starting ${host}.." + eval xterm -title ${host} -rightbar -sb -sl 500 -e "$UMLKERNEL \ + umid=${host} \ + ubda=$UMLHOSTFS \ + \$SWITCH_${host} \ + mem=${MEM}M con=pty con0=fd:0,fd:1" & + cecho "done" + fi +done + +if [ -z "$BOOTING_HOSTS" ] +then + exit 0 +fi + +cecho " * Waiting for the uml instances to finish booting" + +for host in $BOOTING_HOSTS +do + cecho-n " * Checking on $host.." + + while [ $count -lt $count_max ] && [ ! -d ~/.uml/$host ] + do + cecho-n "." + sleep 5 + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + fi + + pid=`cat ~/.uml/$host/pid` + up=`ps up $pid | grep agetty | wc -l` + + while [ $count -lt $count_max ] && [ $up -eq 0 ] + do + cecho-n "." + sleep 5 + up=`ps up $pid | grep agetty | wc -l` + let "count+=1" + done + + if [ $count -ge $count_max ] + then + cecho "exit" + exit 1 + else + cecho "up" + fi +done + +cecho " * All uml instances are up now" diff --git a/testing/start-testing b/testing/start-testing new file mode 100755 index 000000000..375a82be5 --- /dev/null +++ b/testing/start-testing @@ -0,0 +1,83 @@ +#!/bin/bash +# Start up the specified UML instances and wait for them to finish booting +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: start-testing,v 1.4 2004/12/07 18:04:57 as Exp $ + +DIR=`dirname $0` + +source $DIR/scripts/function.sh + +[ -f $DIR/testing.conf ] || die "!! Configuration file 'testing.conf' not found" +[ -d $DIR/hosts ] || die "Directory hosts cannot be found." + +source $DIR/testing.conf + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +##################################################### +# start the uml switches +# +cecho "Start the uml switches (scripts/start-switches)" +$DIR/scripts/start-switches + + +##################################################### +# start the uml instances +# +case $UMLSTARTMODE in + konsole) + cecho "Start the uml instances (scripts/kstart-umls)" + $DIR/scripts/kstart-umls $HOSTS + ;; + xterm) + cecho "Start the uml instances (scripts/xstart-umls)" + $DIR/scripts/xstart-umls $HOSTS + ;; + screen) + cecho "Start the uml instances (scripts/start-umls)" + $DIR/scripts/start-umls $HOSTS + ;; + *) + die "The start mode is unknown! Please set $UMLSTARTMODE properly." + ;; +esac + + +##################################################### +# do the automated testing +# +if [ $ENABLE_DO_TESTS = "yes" ] +then + cecho "Run the automated tests (do-tests)" + $DIR/do-tests +fi + + +############################################################################## +# stop all UML instances and switches +# + +if [ $ENABLE_STOP_TESTING = "yes" ] +then + cecho "Stopping all UML instances and switches (stop-testing)" + $DIR/stop-testing $HOSTS +fi + diff --git a/testing/stop-testing b/testing/stop-testing new file mode 100755 index 000000000..5b53505ac --- /dev/null +++ b/testing/stop-testing @@ -0,0 +1,51 @@ +#!/bin/bash +# Stop all UML instances and UML switches +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: stop-testing,v 1.3 2004/12/07 18:04:57 as Exp $ + +DIR=`dirname $0` + +source $DIR/scripts/function.sh + +[ -f $DIR/testing.conf ] || die "No configuration file testing.conf found." + +source $DIR/testing.conf + +if [ "$#" -eq 0 ] +then + HOSTS=$STRONGSWANHOSTS +else + HOSTS=$* +fi + +##################################################### +# Shutting down the uml instances +# +cecho-n " * Halting all UML instances.." +for host in $HOSTS +do + uml_mconsole $host halt &> /dev/null +done +cecho "done" + +##################################################### +# Shutting down the uml switches +# +cecho-n " * Stopping the UML switches.." +killall uml_switch &> /dev/null +rm -f /tmp/umlswitch[012] &> /dev/null 2>&1 +cecho "done" + diff --git a/testing/testing.conf b/testing/testing.conf new file mode 100755 index 000000000..92a138288 --- /dev/null +++ b/testing/testing.conf @@ -0,0 +1,154 @@ +#!/bin/bash +# Global configuration file for strongswan UML testing. +# +# Copyright (C) 2004 Eric Marchionni, Patrik Rayo +# Zuercher Hochschule Winterthur +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# RCSID $Id: testing.conf,v 1.52 2006/04/24 16:58:03 as Exp $ + +# Root directory of testing +UMLTESTDIR=~/strongswan-testing + +# Bzipped kernel sources +# (file extension .tar.bz2 required) +KERNEL=$UMLTESTDIR/linux-2.6.16.9.tar.bz2 + +# Extract kernel version +KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` + +# Kernel configuration file +KERNELCONFIG=$UMLTESTDIR/.config-2.6.16 + +# Bzipped uml patch for kernel +# (not needed anymore for 2.6.9 kernel or higher) +UMLPATCH= + +# Bzipped source of strongSwan +STRONGSWAN=$UMLTESTDIR/strongswan-2.7.0.tar.bz2 + +# strongSwan compile options (use "yes" or "no") +USE_LIBCURL="yes" +USE_LDAP="yes" + +# Gentoo linux root filesystem +ROOTFS=$UMLTESTDIR/gentoo-fs-20060330.tar.bz2 + +# Size of the finished root filesystem in MB +ROOTFSSIZE=544 + +# Amount of Memory to use per UML [MB]. +# If "auto" is stated 1/12 of total host ram will be used. +# Examples: MEM=64, MEM="128", MEM="auto" +MEM=64 + +# Directory where the UML kernels and file system will be built +BUILDDIR=$UMLTESTDIR/umlbuild + +# Filename of the built UML Kernel +UMLKERNEL=$BUILDDIR/linux-uml-$KERNELVERSION + +# Directory where test results will be stored +TESTRESULTSDIR=$UMLTESTDIR/testresults + +# Timezone for the UMLs, look in /usr/share/zoneinfo! +TZUML="Europe/Zurich" + +############################################################## +# Enable particular steps in the make-testing and +# start-testing scripts +# +ENABLE_BUILD_UMLKERNEL="yes" +ENABLE_BUILD_SSHKEYS="yes" +ENABLE_BUILD_HOSTCONFIG="yes" +ENABLE_BUILD_UMLROOTFS="yes" +ENABLE_BUILD_UMLHOSTFS="yes" +ENABLE_START_TESTING="yes" +ENABLE_DO_TESTS="yes" +ENABLE_STOP_TESTING="no" + +############################################################## +# How to start the UMLs? +# +# Start the UML instance in KDE konsole (requires KDE) +UMLSTARTMODE="konsole" +# Start the UML instance in an xterm (requires X11R6) +# UMLSTARTMODE="xterm" +# Start the UML instance without a terminal window +# but screen -r <host> can open a window anytime +# UMLSTARTMODE="screen" + +############################################################## +# If set to "yes" only the tests stated at $SELECTEDTESTS +# will be executed. (use "yes" or "no") +# +SELECTEDTESTSONLY="no" + +# Tests to do if $SELECTEDTESTSONLY is set "yes". +# +SELECTEDTESTS="net2net-cert" + +############################################################## +# hostname and according IP(s) +# You may change the IPs but keep them in the same net, +# this means retain the netmasks! +# Also don't use IPs ending with 254, they are reserved! +# +HOSTNAMEIPS="\ +alice:10.1.0.10 \ +venus:10.1.0.20 \ +moon:192.168.0.1:10.1.0.1 \ +carol:192.168.0.100:10.3.0.1 \ +winnetou:192.168.0.150 \ +dave:192.168.0.200:10.3.0.2 \ +sun:192.168.0.2:10.2.0.1 \ +bob:10.2.0.10" + +############################################################## +# VPN gateways / clients +# The hosts stated here will be created. Possible values +# are sun, moon, dave, carol, alice, venus, bob, winnetou. +# It's fine to make them all unless you don't have much +# ressources. In this case we assume you know what you do! +# +STRONGSWANHOSTS="sun moon dave carol alice venus bob winnetou" + +############################################################## +# Needed programs, do not change! +# +PROGRAMS="uml_switch uml_mconsole ssh ssh-keygen iptables \ + chroot screen mkreiserfs" + +############################################################## +# IP parameters of the UML switches +# +IFCONFIG_0="192.168.0.254 netmask 255.255.255.0" +IFCONFIG_1="10.1.0.254 netmask 255.255.0.0" +IFCONFIG_2="10.2.0.254 netmask 255.255.0.0" + +############################################################## +# Network interfaces of the UML instances +# +SWITCH_alice="eth0=daemon,,unix,/tmp/umlswitch1" +SWITCH_venus="eth0=daemon,,unix,/tmp/umlswitch1" +SWITCH_moon="eth0=daemon,,unix,/tmp/umlswitch0 \ + eth1=daemon,,unix,/tmp/umlswitch1" +SWITCH_carol="eth0=daemon,,unix,/tmp/umlswitch0" +SWITCH_winnetou="eth0=daemon,,unix,/tmp/umlswitch0" +SWITCH_dave="eth0=daemon,,unix,/tmp/umlswitch0" +SWITCH_sun="eth0=daemon,,unix,/tmp/umlswitch0 \ + eth1=daemon,,unix,/tmp/umlswitch2" +SWITCH_bob="eth0=daemon,,unix,/tmp/umlswitch2" + + + + diff --git a/testing/tests/alg-blowfish/description.txt b/testing/tests/alg-blowfish/description.txt new file mode 100644 index 000000000..cff0a1915 --- /dev/null +++ b/testing/tests/alg-blowfish/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>BLOWFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and +<b>BLOWFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-blowfish/evaltest.dat b/testing/tests/alg-blowfish/evaltest.dat new file mode 100644 index 000000000..a9c9b803a --- /dev/null +++ b/testing/tests/alg-blowfish/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: BLOWFISH_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: BLOWFISH_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf b/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..fa68c9d3d --- /dev/null +++ b/testing/tests/alg-blowfish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=blowfish256-sha2_512-modp4096! + esp=blowfish256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf b/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..39916a7ba --- /dev/null +++ b/testing/tests/alg-blowfish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=blowfish256-sha2_512-modp4096! + esp=blowfish256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-blowfish/posttest.dat b/testing/tests/alg-blowfish/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-blowfish/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-blowfish/pretest.dat b/testing/tests/alg-blowfish/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/alg-blowfish/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-blowfish/test.conf b/testing/tests/alg-blowfish/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-blowfish/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/alg-serpent/description.txt b/testing/tests/alg-serpent/description.txt new file mode 100644 index 000000000..f49c0a1c0 --- /dev/null +++ b/testing/tests/alg-serpent/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>SERPENT_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and +<b>SERPENT_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-serpent/evaltest.dat b/testing/tests/alg-serpent/evaltest.dat new file mode 100644 index 000000000..6b792538b --- /dev/null +++ b/testing/tests/alg-serpent/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: SERPENT_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: SERPENT_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf b/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5d2369924 --- /dev/null +++ b/testing/tests/alg-serpent/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=serpent256-sha2_512-modp4096! + esp=serpent256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf b/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7bdddf008 --- /dev/null +++ b/testing/tests/alg-serpent/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=serpent256-sha2_512-modp4096! + esp=serpent256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-serpent/posttest.dat b/testing/tests/alg-serpent/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-serpent/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-serpent/pretest.dat b/testing/tests/alg-serpent/pretest.dat new file mode 100644 index 000000000..6d2eeb5f9 --- /dev/null +++ b/testing/tests/alg-serpent/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-serpent/test.conf b/testing/tests/alg-serpent/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-serpent/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/alg-sha2_256/description.txt b/testing/tests/alg-sha2_256/description.txt new file mode 100644 index 000000000..900fcf017 --- /dev/null +++ b/testing/tests/alg-sha2_256/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the rather strong cipher suite +<b>AES_CBC_128-SHA2_256-MODP1536</b> for the IKE protocol and +<b>AES_128-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-sha2_256/evaltest.dat b/testing/tests/alg-sha2_256/evaltest.dat new file mode 100644 index 000000000..9b4caa278 --- /dev/null +++ b/testing/tests/alg-sha2_256/evaltest.dat @@ -0,0 +1,9 @@ + +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA2_256-MODP1536::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf b/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c55ae8ab1 --- /dev/null +++ b/testing/tests/alg-sha2_256/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes128-sha2_256-modp1536! + esp=aes128-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf b/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..748b1b85c --- /dev/null +++ b/testing/tests/alg-sha2_256/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha2_256-modp1536! + esp=aes128-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-sha2_256/posttest.dat b/testing/tests/alg-sha2_256/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-sha2_256/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-sha2_256/pretest.dat b/testing/tests/alg-sha2_256/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/alg-sha2_256/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-sha2_256/test.conf b/testing/tests/alg-sha2_256/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-sha2_256/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/alg-twofish/description.txt b/testing/tests/alg-twofish/description.txt new file mode 100644 index 000000000..0015561ee --- /dev/null +++ b/testing/tests/alg-twofish/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the strong cipher suite +<b>TWOFISH_CBC_256-SHA2_512-MODP4096</b> for the IKE protocol and +<b>TWOFISH_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/alg-twofish/evaltest.dat b/testing/tests/alg-twofish/evaltest.dat new file mode 100644 index 000000000..0568eec6e --- /dev/null +++ b/testing/tests/alg-twofish/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES +carol::ipsec statusall::IKE algorithm newest: TWOFISH_CBC_256-SHA2_512-MODP4096::YES +moon::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: TWOFISH_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf b/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..8e3037a3b --- /dev/null +++ b/testing/tests/alg-twofish/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=twofish256-sha2_512-modp4096! + esp=twofish256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf b/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..01004e94e --- /dev/null +++ b/testing/tests/alg-twofish/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=twofish256-sha2_512-modp4096! + esp=twofish256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/alg-twofish/posttest.dat b/testing/tests/alg-twofish/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/alg-twofish/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/alg-twofish/pretest.dat b/testing/tests/alg-twofish/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/alg-twofish/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/alg-twofish/test.conf b/testing/tests/alg-twofish/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/alg-twofish/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/attr-cert/description.txt b/testing/tests/attr-cert/description.txt new file mode 100644 index 000000000..b7f809c36 --- /dev/null +++ b/testing/tests/attr-cert/description.txt @@ -0,0 +1,7 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of <b>X.509 Attribute Certificates</b>. Access to <b>alice</b> +is granted to members of the group 'Research' whereas <b>venus</b> can only +be reached by members of the groups 'Accounting' and 'Sales'. The roadwarriors +<b>carol</b> and <b>dave</b> belong to the groups 'Research' and 'Accounting', +respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b> +can reach <b>venus</b>.
\ No newline at end of file diff --git a/testing/tests/attr-cert/evaltest.dat b/testing/tests/attr-cert/evaltest.dat new file mode 100644 index 000000000..59f6eb76a --- /dev/null +++ b/testing/tests/attr-cert/evaltest.dat @@ -0,0 +1,12 @@ +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::alice.*peer matches group 'Research'::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::venus.*peer doesn't match any group::YES +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::venus.*peer matches group 'Accounting'::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::alice.*peer doesn't match any group::YES +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf b/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..62fc49868 --- /dev/null +++ b/testing/tests/attr-cert/hosts/carol/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf b/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..9d932dc54 --- /dev/null +++ b/testing/tests/attr-cert/hosts/dave/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf b/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..bd72715ff --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightgroups=Research + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightgroups="Accounting, Sales" + auto=add + diff --git a/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem b/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem new file mode 100644 index 000000000..3c5c5d91d --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/ipsec.d/aacerts/aaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEKjCCAxKgAwIBAgIBCzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDIxNzA4NDQzMFoXDTEwMDIxNjA4NDQzMFowZjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xIDAeBgNVBAsTF0F1dGhv +cml6YXRpb24gQXV0aG9yaXR5MRowGAYDVQQDFBFhYUBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2Czo4Mds6Jz15DWop6ExWI +wWt9zU8Xu//ow1F0Kf9a4DLjo8qO+km3gybByNQQv1LrZ1eq+82Gy4RYXU1FnhC6 +dc8aobDmUQkY/8uYXtUmevKF5QcbYciDLp01W1q0DONAlc/9wmvJWhvjs9itWOBC +fAUcH3eUNvMgkc7hlQTqreZTH4zyJ6M54JibkTsyfVg/1yOT41zUU3b+vI/r9kNB +CYcp2DrdhdxX6mEiSTyDA/OMlgvCa7kPinUL4FJtQOFBozCsGcD28ONLc8Abkggf +NABXCclPVAXOTawJF3dRWcMhIlNLWxWMVRvEt5OkAEdy/mXGBvtVArmGnmA+8zcC +AwEAAaOCAQIwgf8wCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFA+6 +5KwThPKc9Vxn0048uRThft1tMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDq +Lk3voUmkRzBFMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBSb290IENBggEAMBwGA1UdEQQVMBOBEWFh +QHN0cm9uZ3N3YW4ub3JnMDkGA1UdHwQyMDAwLqAsoCqGKGh0dHA6Ly9jcmwuc3Ry +b25nc3dhbi5vcmcvc3Ryb25nc3dhbi5jcmwwDQYJKoZIhvcNAQEEBQADggEBAIeg +CjgR2yIGSuyrFolvEM/qoT3j+LpQREDZbx9BKr3kGmbqF75clwfpysJ4FlXZZ2CR +aH2GoPOZGXwsYc3poqGeeWSxo+fpt4XIGUc1eREXm1rKVMd+qb0u0PXuhq2+u1aY +ZJDY0yqUU2/7AInXjzG7lI120W+K6tuTM/5UVI5EPpAFwUVlCxnMh4Sl4VkgZ2Hw +YnO3/8SEHmHR03/GhOd5d8hD8a0AGHtdOPpZnUOR9PH5FszpQ/alUdn+NTdQ7O2v +Q8jqPCeQSAAkJbBBRvGA4bD6KXt1k74fXXUofiKWpQUozlO1Cc978Kfl5/do5bov +wTLSA/z7c8nVCVoZI9Y= +-----END CERTIFICATE----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem new file mode 100644 index 000000000..209b48f3a --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/aaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAvYLOjgx2zonPXkNainoTFYjBa33NTxe7/+jDUXQp/1rgMuOj +yo76SbeDJsHI1BC/UutnV6r7zYbLhFhdTUWeELp1zxqhsOZRCRj/y5he1SZ68oXl +BxthyIMunTVbWrQM40CVz/3Ca8laG+Oz2K1Y4EJ8BRwfd5Q28yCRzuGVBOqt5lMf +jPInozngmJuROzJ9WD/XI5PjXNRTdv68j+v2Q0EJhynYOt2F3FfqYSJJPIMD84yW +C8JruQ+KdQvgUm1A4UGjMKwZwPbw40tzwBuSCB80AFcJyU9UBc5NrAkXd1FZwyEi +U0tbFYxVG8S3k6QAR3L+ZcYG+1UCuYaeYD7zNwIDAQABAoIBAQCCGgsz+dqWcIWs +cRD3gFcZsYkYAoWwhtrKFUIB6X3rkLfaN+16Yi3x7cpcES2OaPDwPCv2Q6warS+K +7B8hrWmWkmvOgrn+eB+p3z+8xh5UttYxKTrSZjn7LhQSWU8eNf2jBfPTlqKi3Ni/ +zNLrLhaV3w7Fc0knDtmqj/GJ1dQ4SrUpME3sREpWbGSzjJ2UsR7iqQiDsYwWHzK2 +nWWwzrSmpObhDR3jiyOwBy/DEjXRC7h0fUL8eBghJvLWgFgifI5Z36FXa0FasxQr +zKZnQdwuJHqQz7+sVjAmKtNd7x7RE5Ii0oQYiWDFr0OAwKD5UfMNydpcOVC/bV2n +SKWmguoBAoGBAO73MTPP9ne4cfC7t4k2+F9hkb7mAjAbk9GbTyZyEKSDKH2bL02W +G4kXdlkvZVgKhIDg8PCouRSQKv2IxubDrarFURb5KMJlyfBV1Q8JSxpVtxK69clq +yIu/AtiiBE/n11MdmdoJLr6l2nNStJummj2jw5OyN8sdJarf83rCy+ITAoGBAMsF +IfivZ+Tueavy0tGRb1qqKalIhwzLBRmWCna39bB9rK4eTNio5Oes95mC7t8mslmO +18enKUTO87svWLzo8NVYIKSqg5B+kIN44hROErlV6HHPVd5vJzZFjH7SSfy5y8Ka +wmsA1xiG6NEgEndc6F6uQ2YdaZAHWFO6CiTNpq7NAoGADXglb9QzAkCFO5p5F+Tf +TxEC1A3G5ctII7JrXbFkOsGh0KKkoezqFGocI57GSZYeLd1/9zCrbftKUQwamftB +mLSSg4b7wylVnpRX9AcEErHuJcIgBIBeWXIkyO0o7RAWVPsAJwgJeHmEvKdWwsc7 +PmoypeqPtoUoEF+bK7o7H70CgYAYlYaHlrX+AuK4766XsgTJ9dEVrrKr2enEL2cU ++THHLXC7pO+pTMprQ4a4ECLc4tK2BZYblyJoMqdRA2q7dXm0W/eX+Q31cV4OjZTS +4KFj0ANVxMWhKdSVvdZFhTFwaQ9DgXoJexCQ58VJjZiu25FH5dJDi0w9JKaNfPm9 +eym0AQKBgHhfqD9EXxazoP27NyZAFUSA3r4u06qFjbAEjbuJVAJNSuEu6Sht2uIg +lCHpTPssDLHVSY0faQwY4vPqJZVg0k/rAu2VlvbJxYrdzXr8eTfPRJrhv/s/Tbro +n1rmisBKov1P2Cu2e03a8+GDO3lpSZr9YNG/e7wggSbfAvqCoUDF +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem new file mode 100644 index 000000000..8492fbd45 --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCjANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDEwMTIxNDMxOFoXDTA5MTIzMTIxNDMxOFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBALgbhJIECOCGyNJ4060un/wBuJ6MQjthK5CAEPgX +T/lvZynoSxhfuW5geDCCxQes6dZPeb6wJS4F5fH3qJoLM+Z4n13rZlCEyyMBkcFl +vK0aNFY+ARs0m7arUX8B7Pfi9N6WHTYgO4XpeBHLJrZQz9AU0V3S0rce/WVuVjii +S/cJhrgSi7rl87Qo1jYOA9P06BZQLj0dFNcWWrGpKp/hXvBF1OSP9b15jsgMlCCW +LJqXmLVKDtKgDPLJZR19mILhgcHvaxxD7craL9GR4QmWLb0m84oAIIwaw+0npZJM +YDMMeYeOtcepCWCmRy+XmsqcWu4rtNCu05W1RsXjYZEKBjcCAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBRVNeym66J5uu+IfxhD +j9InsWdG0TBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQCxMEp+Zdclc0aI +U+jO3TmL81gcwea0BUucjZfDyvCSkDXcXidOez+l/vUueGC7Bqq1ukDF8cpVgGtM +2HPxM97ZSLPInMgWIeLq3uX8iTtIo05EYqRasJxBIAkY9o6ja6v6z0CZqjSbi2WE +HrHkFrkOTrRi7deGzbAAhWVjOnAfzSxBaujkdUxb6jGBc2F5qpAeVSbE+sAxzmSd +hRyF3tUUwl4yabBzmoedJzlQ4anqg0G14QScBxgXkq032gKuzNVVxWRp6OFannKG +C1INvsBWYtN62wjXlXXhM/M4sBFhmPpftVb+Amgr1jSspTX2dQsNqhI/WtNvLmfK +omBYfxqp +-----END CERTIFICATE----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem b/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem new file mode 100644 index 000000000..abd1554e5 --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/daveCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBCDANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjY1MVoXDTA5MDkwOTExMjY1MVowWzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xEzARBgNVBAsTCkFjY291 +bnRpbmcxHDAaBgNVBAMUE2RhdmVAc3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDGbCmUY6inir71/6RWebegcLUTmDSxRqpRONDx +2IRUEuES5EKc7qsjRz45XoqjiywCQRjYW33fUEEY6r7fnHk70CyUnWeZyr7v4D/2 +LjBN3smDE6/ZZrzxPx+xphlUigYOF/vt4gUiW1dOZ5rcnxG9+eNrSL6gWNNg1iuE +RflSTbmHV6TVmGU2PGddKGZ6XfqWfdA+6iOi2+oyqw6aH4u4hfXhJyMROEOhLdAF +UvzU9UizEXSqsmEOSodS9vypVJRYTbZcx70e9Q7g2MghHvtQY6mVgBzAwakDBCt/ +98lAlKDeXXOQqPcqAZSc2VjG8gEmkr1dum8wsJw8C2liKGRFAgMBAAGjggEFMIIB +ATAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQU3pC10RxsZDx0UNNq ++Ihsoxk4+3IwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQAnotcnOE0tJDLy +8Vh1+naT2zrxx9UxfMIeFljwhDqRiHXSLDAbCOnAWoqj8C9riuZwW7UImIIQ9JT9 +Gdktt4bbIcG25rGMC3uqP71CfaAz/SwIZZ2vm8Jt2ZzzSMHsE5qbjDIRAZnq6giR +P2s6PVsMPSpvH34sRbE0UoWJSdtBZJP5bb+T4hc9gfmbyTewwMnjh09KkGJqVxKV +UC/1z1U9zb3X1Gc9y+zI67/D46wM6KdRINaqPdK26aYRFM+/DLoTfFk07dsyz7lt +0C+/ityQOvpfjVlZ/OepT92eWno4FuNRJuUP5/gYiHvSsjZbazqG02qGhJ6VgtGT +5qILUTmI +-----END CERTIFICATE----- diff --git a/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf b/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf new file mode 100644 index 000000000..134218eec --- /dev/null +++ b/testing/tests/attr-cert/hosts/moon/etc/openac/default.conf @@ -0,0 +1,4 @@ +--cert /etc/ipsec.d/aacerts/aaCert.pem +--key /etc/openac/aaKey.pem +--quiet +--hours 8 diff --git a/testing/tests/attr-cert/posttest.dat b/testing/tests/attr-cert/posttest.dat new file mode 100644 index 000000000..a59c3ff63 --- /dev/null +++ b/testing/tests/attr-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/openac/* +moon::rm /etc/ipsec.d/aacerts/aaCert.pem +moon::rm /etc/ipsec.d/acerts/* diff --git a/testing/tests/attr-cert/pretest.dat b/testing/tests/attr-cert/pretest.dat new file mode 100644 index 000000000..b3fecaf3c --- /dev/null +++ b/testing/tests/attr-cert/pretest.dat @@ -0,0 +1,12 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::cat /etc/openac/default.conf +moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/carolCert.pem --groups Research --out /etc/ipsec.d/acerts/carolAC.pem +moon::ipsec openac --optionsfrom default.conf --usercert /etc/openac/daveCert.pem --groups Accounting --out /etc/ipsec.d/acerts/daveAC.pem +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/attr-cert/test.conf b/testing/tests/attr-cert/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/attr-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/compress/description.txt b/testing/tests/compress/description.txt new file mode 100644 index 000000000..47829839d --- /dev/null +++ b/testing/tests/compress/description.txt @@ -0,0 +1,3 @@ +This scenario enables IPCOMP compression between roadwarrior <b>carol</b> and +gateway <b>moon</b>. Two pings from <b>carol</b> to <b>alice</b> checks +the established tunnel with compression. diff --git a/testing/tests/compress/evaltest.dat b/testing/tests/compress/evaltest.dat new file mode 100644 index 000000000..ff72e1762 --- /dev/null +++ b/testing/tests/compress/evaltest.dat @@ -0,0 +1,10 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::policy.*COMPRESS::YES +carol::ipsec statusall::policy.*COMPRESS::YES +moon::ipsec statusall::comp.::YES +carol::ipsec statusall::comp.::YES +carol::ping -n -c 2 -s 8184 -p deadbeef PH_IP_ALICE::8192 bytes from PH_IP_ALICE::YES +moon::tcpdump::carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::moon.strongswan.org > carol.strongswan.org: ESP::YES + diff --git a/testing/tests/compress/hosts/carol/etc/ipsec.conf b/testing/tests/compress/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9462ba5e6 --- /dev/null +++ b/testing/tests/compress/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + compress=yes + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/compress/hosts/moon/etc/ipsec.conf b/testing/tests/compress/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b8dfae646 --- /dev/null +++ b/testing/tests/compress/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + compress=yes + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/compress/posttest.dat b/testing/tests/compress/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/compress/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/compress/pretest.dat b/testing/tests/compress/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/compress/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/compress/test.conf b/testing/tests/compress/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/compress/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/crl-from-cache/description.txt b/testing/tests/crl-from-cache/description.txt new file mode 100644 index 000000000..17866f572 --- /dev/null +++ b/testing/tests/crl-from-cache/description.txt @@ -0,0 +1,5 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. When <b>carol</b> initiates +an IPsec connection to <b>moon</b>, both VPN endpoints find a cached CRL in +their <b>/etc/ipsec.d/crls/</b> directories which allows them to immediately verify +the certificate received from their peer. diff --git a/testing/tests/crl-from-cache/evaltest.dat b/testing/tests/crl-from-cache/evaltest.dat new file mode 100644 index 000000000..dd200c8ef --- /dev/null +++ b/testing/tests/crl-from-cache/evaltest.dat @@ -0,0 +1,10 @@ +moon::cat /var/log/auth.log::loaded crl file::YES +carol::cat /var/log/auth.log::loaded crl file::YES +moon::cat /var/log/auth.log::X.509 certificate rejected::NO +carol::cat /var/log/auth.log::X.509 certificate rejected::NO +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file::NO +carol::cat /var/log/auth.log::written crl file::NO +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf b/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..93c4d7956 --- /dev/null +++ b/testing/tests/crl-from-cache/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf b/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ef9237518 --- /dev/null +++ b/testing/tests/crl-from-cache/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-from-cache/posttest.dat b/testing/tests/crl-from-cache/posttest.dat new file mode 100644 index 000000000..be17847c1 --- /dev/null +++ b/testing/tests/crl-from-cache/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/crl-from-cache/pretest.dat b/testing/tests/crl-from-cache/pretest.dat new file mode 100644 index 000000000..acdb265ed --- /dev/null +++ b/testing/tests/crl-from-cache/pretest.dat @@ -0,0 +1,8 @@ +moon::wget -q http://crl.strongswan.org/strongswan.crl +moon::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +carol::wget -q http://crl.strongswan.org/strongswan.crl +carol::mv strongswan.crl /etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-from-cache/test.conf b/testing/tests/crl-from-cache/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-from-cache/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-ldap/description.txt b/testing/tests/crl-ldap/description.txt new file mode 100644 index 000000000..02dc0cbbe --- /dev/null +++ b/testing/tests/crl-ldap/description.txt @@ -0,0 +1,9 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and only an expired CRL cache file in <b>/etc/ipsec.d/crls</b> is +available, the Main Mode negotiation fails. A http fetch for an updated CRL fails +because the web server is currently not reachable. Thus the second Main Mode negotiation +fails, too. Finally an ldap fetch to get the CRL from the LDAP server <b>winnetou</b> +is triggered. When the third Main Mode trial comes around, the fetched CRL has become +available and the IKE negotiation completes. The new CRL is again cached locally as a +file in <b>/etc/ipsec.d/crls</b> due to the <b>cachecrls=yes</b> option. diff --git a/testing/tests/crl-ldap/evaltest.dat b/testing/tests/crl-ldap/evaltest.dat new file mode 100644 index 000000000..2b98e086a --- /dev/null +++ b/testing/tests/crl-ldap/evaltest.dat @@ -0,0 +1,16 @@ +moon::cat /var/log/auth.log::loaded crl file::YES +carol::cat /var/log/auth.log::loaded crl file::YES +moon::cat /var/log/auth.log::crl update is overdue::YES +carol::cat /var/log/auth.log::crl update is overdue::YES +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::Trying LDAP URL::YES +carol::cat /var/log/auth.log::Trying LDAP URL::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file::YES +carol::cat /var/log/auth.log::written crl file::YES +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..571459bae --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..669a47d06 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl Binary files differnew file mode 100644 index 000000000..75e8b0959 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl diff --git a/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..8de514a2e --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d5c0dd163 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,42 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl Binary files differnew file mode 100644 index 000000000..75e8b0959 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl diff --git a/testing/tests/crl-ldap/posttest.dat b/testing/tests/crl-ldap/posttest.dat new file mode 100644 index 000000000..04f762331 --- /dev/null +++ b/testing/tests/crl-ldap/posttest.dat @@ -0,0 +1,9 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +winnetou::/etc/init.d/slapd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/crl-ldap/pretest.dat b/testing/tests/crl-ldap/pretest.dat new file mode 100644 index 000000000..64fae2a16 --- /dev/null +++ b/testing/tests/crl-ldap/pretest.dat @@ -0,0 +1,7 @@ +winnetou::/etc/init.d/slapd start +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-ldap/test.conf b/testing/tests/crl-ldap/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-ldap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-revoked/description.txt b/testing/tests/crl-revoked/description.txt new file mode 100644 index 000000000..780068ce6 --- /dev/null +++ b/testing/tests/crl-revoked/description.txt @@ -0,0 +1,7 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current CRL is available, the Main Mode negotiation fails +and a http fetch to get the CRL from the web server <b>winnetou</b> is triggered. +When the second Main Mode trial comes around the fetched CRL will be available +but because the certificate presented by carol has been revoked, +the IKE negotatiation will fail. diff --git a/testing/tests/crl-revoked/evaltest.dat b/testing/tests/crl-revoked/evaltest.dat new file mode 100644 index 000000000..0fd1cae8c --- /dev/null +++ b/testing/tests/crl-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5a1d246a6 --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolRevokedCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem new file mode 100644 index 000000000..8aefcc5a6 --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn +hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb +v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7 +HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx +vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE +UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU +WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf +OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu +og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2 +MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/ +khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx +uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07 +a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt +7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+ +rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y +ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf +IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi +CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3 +baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R +TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP +r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i +jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH +46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva +o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa +9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..8e31be4cb --- /dev/null +++ b/testing/tests/crl-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolRevokedKey.pem diff --git a/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a8953f557 --- /dev/null +++ b/testing/tests/crl-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-revoked/posttest.dat b/testing/tests/crl-revoked/posttest.dat new file mode 100644 index 000000000..d742e8410 --- /dev/null +++ b/testing/tests/crl-revoked/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/crl-revoked/pretest.dat b/testing/tests/crl-revoked/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/crl-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-revoked/test.conf b/testing/tests/crl-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-strict/description.txt b/testing/tests/crl-strict/description.txt new file mode 100644 index 000000000..97011482e --- /dev/null +++ b/testing/tests/crl-strict/description.txt @@ -0,0 +1,6 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current CRL is available, the Main Mode negotiation fails +but a http fetch to get the CRL from the web server <b>winnetou</b> is triggered. +When the second Main Mode trial comes around, the fetched CRL will be available +and the IKE negotiation completes. diff --git a/testing/tests/crl-strict/evaltest.dat b/testing/tests/crl-strict/evaltest.dat new file mode 100644 index 000000000..1d7adb05e --- /dev/null +++ b/testing/tests/crl-strict/evaltest.dat @@ -0,0 +1,8 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf b/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..6d0aee86a --- /dev/null +++ b/testing/tests/crl-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf b/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a8953f557 --- /dev/null +++ b/testing/tests/crl-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-strict/posttest.dat b/testing/tests/crl-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/crl-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/crl-strict/pretest.dat b/testing/tests/crl-strict/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/crl-strict/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-strict/test.conf b/testing/tests/crl-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/crl-to-cache/description.txt b/testing/tests/crl-to-cache/description.txt new file mode 100644 index 000000000..9f542e73d --- /dev/null +++ b/testing/tests/crl-to-cache/description.txt @@ -0,0 +1,6 @@ +By setting <b>cachecrls=yes</b> in ipsec.conf, a copy of the CRL fetched +via http from the web server <b>winnetou</b> is saved locally in the +directory <b>/etc/ipsec.d/crls</b> on both the roadwarrior <b>carol</b> +and the gateway <b>moon</b> when the IPsec connection is set up. The +<b>subjectKeyIdentifier</b> of the issuing CA plus the suffix <b>.crl</b> +is used as a unique filename for the cached CRL. diff --git a/testing/tests/crl-to-cache/evaltest.dat b/testing/tests/crl-to-cache/evaltest.dat new file mode 100644 index 000000000..be7737185 --- /dev/null +++ b/testing/tests/crl-to-cache/evaltest.dat @@ -0,0 +1,4 @@ +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES +carol::cat /var/log/auth.log::written crl file.*/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES diff --git a/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf b/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..955f08b1f --- /dev/null +++ b/testing/tests/crl-to-cache/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf b/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..885354ab5 --- /dev/null +++ b/testing/tests/crl-to-cache/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + cachecrls=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-to-cache/posttest.dat b/testing/tests/crl-to-cache/posttest.dat new file mode 100644 index 000000000..be17847c1 --- /dev/null +++ b/testing/tests/crl-to-cache/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/crl-to-cache/pretest.dat b/testing/tests/crl-to-cache/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/crl-to-cache/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-to-cache/test.conf b/testing/tests/crl-to-cache/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-to-cache/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/default-keys/description.txt b/testing/tests/default-keys/description.txt new file mode 100644 index 000000000..639e909da --- /dev/null +++ b/testing/tests/default-keys/description.txt @@ -0,0 +1,8 @@ +Because of the missing <b>/etc/ipsec.secrets</b> file, roadwarrior <b>carol</b> +and gateway <b>moon</b> each automatically generate a PKCS#1 RSA private key +and a self-signed X.509 certificate. Because the UML testing environment does +not offer enough entropy, the non-blocking /dev/urandom device is used in place +of /dev/random for generating the random primes. +<p> +The self-signed certificates are then distributed to the peers via scp +and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/default-keys/evaltest.dat b/testing/tests/default-keys/evaltest.dat new file mode 100644 index 000000000..f190d7066 --- /dev/null +++ b/testing/tests/default-keys/evaltest.dat @@ -0,0 +1,7 @@ +carol::cat /var/log/auth.log::we have a cert but are not sending it::YES +moon::cat /var/log/auth.log::we have a cert but are not sending it::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/default-keys/hosts/carol/etc/ipsec.conf b/testing/tests/default-keys/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c4bb10a65 --- /dev/null +++ b/testing/tests/default-keys/hosts/carol/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=peerCert.der + auto=add diff --git a/testing/tests/default-keys/hosts/moon/etc/init.d/iptables b/testing/tests/default-keys/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..13ad3063f --- /dev/null +++ b/testing/tests/default-keys/hosts/moon/etc/init.d/iptables @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/default-keys/hosts/moon/etc/ipsec.conf b/testing/tests/default-keys/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..eeeec645b --- /dev/null +++ b/testing/tests/default-keys/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn carol + left=192.168.0.1 + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + rightcert=peerCert.der + auto=add + diff --git a/testing/tests/default-keys/posttest.dat b/testing/tests/default-keys/posttest.dat new file mode 100644 index 000000000..52b48b9ef --- /dev/null +++ b/testing/tests/default-keys/posttest.dat @@ -0,0 +1,10 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/default-keys/pretest.dat b/testing/tests/default-keys/pretest.dat new file mode 100644 index 000000000..54f70cbe9 --- /dev/null +++ b/testing/tests/default-keys/pretest.dat @@ -0,0 +1,18 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.secrets +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::rm /etc/ipsec.secrets +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +moon::sleep 4 +moon::scp /etc/ipsec.d/certs/selfCert.der carol:/etc/ipsec.d/certs/peerCert.der +moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/peerCert.der +moon::ipsec reload +carol::ipsec reload +carol::ipsec up home diff --git a/testing/tests/default-keys/test.conf b/testing/tests/default-keys/test.conf new file mode 100644 index 000000000..0baa48d90 --- /dev/null +++ b/testing/tests/default-keys/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/double-nat-net/description.txt b/testing/tests/double-nat-net/description.txt new file mode 100644 index 000000000..ff09155f6 --- /dev/null +++ b/testing/tests/double-nat-net/description.txt @@ -0,0 +1,7 @@ +The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a +tunnel to the subnet hiding behind the NAT router <b>sun</b>. All IKE and ESP traffic +directed to the router <b>sun</b> is forwarded to the VPN gateway <b>bob</b> +using destination NAT. UDP encapsulation is used to traverse the NAT routers. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that +let pass the tunneled traffic. In order to test the double NAT-ed IPsec +tunnel <b>alice</b> pings the inner IP address of the router <b>sun</b>. diff --git a/testing/tests/double-nat-net/evaltest.dat b/testing/tests/double-nat-net/evaltest.dat new file mode 100644 index 000000000..41eba6501 --- /dev/null +++ b/testing/tests/double-nat-net/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP1_SUN::64 bytes from PH_IP1_SUN: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf b/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..395e62e7c --- /dev/null +++ b/testing/tests/double-nat-net/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=bob@strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf b/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf new file mode 100755 index 000000000..6927a5ce4 --- /dev/null +++ b/testing/tests/double-nat-net/hosts/bob/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftsubnet=10.2.0.0/16 + leftcert=bobCert.pem + leftid=bob@strongswan.org + leftfirewall=yes + right=%any + rightsubnetwithin=10.1.0.0/16 + auto=add diff --git a/testing/tests/double-nat-net/posttest.dat b/testing/tests/double-nat-net/posttest.dat new file mode 100644 index 000000000..0eb2c0d6c --- /dev/null +++ b/testing/tests/double-nat-net/posttest.dat @@ -0,0 +1,9 @@ +alice::iptables -v -n -L +bob::iptables -v -n -L +bob::ipsec stop +alice::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +bob::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +sun::iptables -t nat -F +sun::ip route del 10.1.0.0/16 via PH_IP_BOB diff --git a/testing/tests/double-nat-net/pretest.dat b/testing/tests/double-nat-net/pretest.dat new file mode 100644 index 000000000..84bc15092 --- /dev/null +++ b/testing/tests/double-nat-net/pretest.dat @@ -0,0 +1,15 @@ +alice::/etc/init.d/iptables start 2> /dev/null +bob::/etc/init.d/iptables start 2> /dev/null +bob::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 +sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB +sun::ip route add 10.1.0.0/16 via PH_IP_BOB +alice::ipsec start +bob::ipsec start +alice::sleep 2 +alice::ipsec up nat-t + diff --git a/testing/tests/double-nat-net/test.conf b/testing/tests/double-nat-net/test.conf new file mode 100644 index 000000000..1ca2ffe5a --- /dev/null +++ b/testing/tests/double-nat-net/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice bob" diff --git a/testing/tests/double-nat/description.txt b/testing/tests/double-nat/description.txt new file mode 100644 index 000000000..ce7de0e56 --- /dev/null +++ b/testing/tests/double-nat/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to +the peer <b>bob</b> hiding behind the NAT router <b>sun</b>. UDP encapsulation is used to +traverse the NAT routers. <b>leftfirewall=yes</b> automatically inserts iptables-based +firewall rules that let pass the tunneled traffic. In order to test the double NAT-ed IPsec +tunnel <b>alice</b> pings <b>bob</b>. diff --git a/testing/tests/double-nat/evaltest.dat b/testing/tests/double-nat/evaltest.dat new file mode 100644 index 000000000..05e751422 --- /dev/null +++ b/testing/tests/double-nat/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +bob::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/double-nat/hosts/alice/etc/ipsec.conf b/testing/tests/double-nat/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..5b3cddb63 --- /dev/null +++ b/testing/tests/double-nat/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn nat-t + left=%defaultroute + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=bob@strongswan.org + rightsubnet=PH_IP_BOB/32 + auto=add diff --git a/testing/tests/double-nat/posttest.dat b/testing/tests/double-nat/posttest.dat new file mode 100644 index 000000000..07f22d07d --- /dev/null +++ b/testing/tests/double-nat/posttest.dat @@ -0,0 +1,8 @@ +alice::iptables -v -n -L +bob::iptables -v -n -L +bob::ipsec stop +alice::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +bob::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +sun::iptables -t nat -F diff --git a/testing/tests/double-nat/pretest.dat b/testing/tests/double-nat/pretest.dat new file mode 100644 index 000000000..cf495b778 --- /dev/null +++ b/testing/tests/double-nat/pretest.dat @@ -0,0 +1,13 @@ +alice::/etc/init.d/iptables start 2> /dev/null +bob::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +sun::iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source PH_IP_SUN:2000-2100 +sun::iptables -t nat -A PREROUTING -i eth0 -s PH_IP_MOON -p udp -j DNAT --to-destination PH_IP_BOB +alice::ipsec start +bob::ipsec start +alice::sleep 2 +alice::ipsec up nat-t + diff --git a/testing/tests/double-nat/test.conf b/testing/tests/double-nat/test.conf new file mode 100644 index 000000000..1ca2ffe5a --- /dev/null +++ b/testing/tests/double-nat/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice bob" diff --git a/testing/tests/dpd-clear/description.txt b/testing/tests/dpd-clear/description.txt new file mode 100644 index 000000000..f76b2d741 --- /dev/null +++ b/testing/tests/dpd-clear/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> sets up an IPsec tunnel connection to the gateway <b>moon</b> +which in turn activates <b>Dead Peer Detection</b> (DPD) with a polling interval of 10 s. +When the network connectivity between <b>carol</b> and <b>moon</b> is forcefully disrupted, +<b>moon</b> clears the connection after the configured timeout of 30 s. + diff --git a/testing/tests/dpd-clear/evaltest.dat b/testing/tests/dpd-clear/evaltest.dat new file mode 100644 index 000000000..98d5b146b --- /dev/null +++ b/testing/tests/dpd-clear/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES +carol::iptables -A INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO +moon::sleep 50::no output expected::NO +moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES +moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES +moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES +moon::cat /var/log/auth.log::DPD: Clearing connection::YES diff --git a/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf b/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..cac521c8f --- /dev/null +++ b/testing/tests/dpd-clear/hosts/moon/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + dpdaction=clear + dpddelay=10 + dpdtimeout=30 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add + + + diff --git a/testing/tests/dpd-clear/posttest.dat b/testing/tests/dpd-clear/posttest.dat new file mode 100644 index 000000000..931db4272 --- /dev/null +++ b/testing/tests/dpd-clear/posttest.dat @@ -0,0 +1,3 @@ +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/dpd-clear/pretest.dat b/testing/tests/dpd-clear/pretest.dat new file mode 100644 index 000000000..14ed95322 --- /dev/null +++ b/testing/tests/dpd-clear/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/dpd-clear/test.conf b/testing/tests/dpd-clear/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/dpd-clear/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/esp-ah-transport/description.txt b/testing/tests/esp-ah-transport/description.txt new file mode 100644 index 000000000..c7918fa38 --- /dev/null +++ b/testing/tests/esp-ah-transport/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall +marks all incoming AH packets with the ESP mark. The transport mode connection is +tested by <b>carol</b> sending a ping to gateway <b>moon</b>. diff --git a/testing/tests/esp-ah-transport/evaltest.dat b/testing/tests/esp-ah-transport/evaltest.dat new file mode 100644 index 000000000..7c498ad83 --- /dev/null +++ b/testing/tests/esp-ah-transport/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_MOON::128 bytes from PH_IP_MOON: icmp_seq=1::YES +carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES +moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*transport::YES +moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables b/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..8c8817539 --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf b/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..13ab3e07f --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + auto=add diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables b/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..3e8922581 --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf b/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..809f3c74b --- /dev/null +++ b/testing/tests/esp-ah-transport/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightid=carol@strongswan.org + type=transport + auto=add diff --git a/testing/tests/esp-ah-transport/posttest.dat b/testing/tests/esp-ah-transport/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/esp-ah-transport/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/esp-ah-transport/pretest.dat b/testing/tests/esp-ah-transport/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/esp-ah-transport/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-ah-transport/test.conf b/testing/tests/esp-ah-transport/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/esp-ah-transport/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-ah-tunnel/description.txt b/testing/tests/esp-ah-tunnel/description.txt new file mode 100644 index 000000000..809f28c57 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/description.txt @@ -0,0 +1,6 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP AES 128 bit encryption algorithm combined with AH SHA-1 authentication. +In order to accept the AH and ESP encapsulated plaintext packets, the iptables firewall +marks all incoming AH packets with the ESP mark. The tunnel mode connection is +tested by <b>carol</b> sending a ping to client <b>alice</b> hiding behind +gateway <b>moon</b>. diff --git a/testing/tests/esp-ah-tunnel/evaltest.dat b/testing/tests/esp-ah-tunnel/evaltest.dat new file mode 100644 index 000000000..8f4a99641 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-;::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-;::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES +moon::ipsec status::ah\..*ah\..*esp\..*ago.*esp\..*ago.*tunnel::YES +moon::tcpdump::AH.*ESP::YES diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables b/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..8c8817539 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf b/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..98cdaab7a --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables b/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..3e8922581 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow AH + iptables -A INPUT -i eth0 -p 51 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 51 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf b/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7f976376d --- /dev/null +++ b/testing/tests/esp-ah-tunnel/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + auth=ah + ike=aes128-sha + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-ah-tunnel/posttest.dat b/testing/tests/esp-ah-tunnel/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/esp-ah-tunnel/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/esp-ah-tunnel/pretest.dat b/testing/tests/esp-ah-tunnel/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/esp-ah-tunnel/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-ah-tunnel/test.conf b/testing/tests/esp-ah-tunnel/test.conf new file mode 100644 index 000000000..fd33cfb57 --- /dev/null +++ b/testing/tests/esp-ah-tunnel/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-des/description.txt b/testing/tests/esp-alg-des/description.txt new file mode 100644 index 000000000..9546569dd --- /dev/null +++ b/testing/tests/esp-alg-des/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP 1DES encryption algorithm with MD5 authentication. <b>moon</b> must +explicitly accept the choice of this insecure algorithm by setting the strict +flag '!' in <b>esp=des-md5!</b>. The tunnel is tested by <b>carol</b> +sending a ping to client <b>alice</b> behind gateway <b>moon</b>. diff --git a/testing/tests/esp-alg-des/evaltest.dat b/testing/tests/esp-alg-des/evaltest.dat new file mode 100644 index 000000000..8e06392f1 --- /dev/null +++ b/testing/tests/esp-alg-des/evaltest.dat @@ -0,0 +1,6 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +carol::ipsec statusall::ESP algorithm newest: DES_0-HMAC_MD5::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b4f067b6d --- /dev/null +++ b/testing/tests/esp-alg-des/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-md5-modp1024! + esp=des-md5! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..9513f810d --- /dev/null +++ b/testing/tests/esp-alg-des/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=3des-md5-modp1024! + esp=des-md5! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-des/posttest.dat b/testing/tests/esp-alg-des/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-des/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-des/pretest.dat b/testing/tests/esp-alg-des/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/esp-alg-des/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-des/test.conf b/testing/tests/esp-alg-des/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-des/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-null/description.txt b/testing/tests/esp-alg-null/description.txt new file mode 100644 index 000000000..7880a799c --- /dev/null +++ b/testing/tests/esp-alg-null/description.txt @@ -0,0 +1,5 @@ +In IKE phase 2 the roadwarrior <b>carol</b> proposes to gateway <b>moon</b> +the ESP NULL encryption algorithm with SHA-1 authentication. <b>moon</b> must +explicitly accept the choice of this insecure algorithm by setting the strict +flag '!' in <b>esp=null-sha1!</b>. The tunnel is tested by <b>carol</b> +sending a ping to client <b>alice</b> behind gateway <b>moon</b>. diff --git a/testing/tests/esp-alg-null/evaltest.dat b/testing/tests/esp-alg-null/evaltest.dat new file mode 100644 index 000000000..de2f2a571 --- /dev/null +++ b/testing/tests/esp-alg-null/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +carol::ipsec statusall::ESP algorithm newest::NULL_0-HMAC_SHA1::YES +carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES diff --git a/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b732eba93 --- /dev/null +++ b/testing/tests/esp-alg-null/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes-128-sha + esp=null-sha1! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..af11591a1 --- /dev/null +++ b/testing/tests/esp-alg-null/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=null-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-null/posttest.dat b/testing/tests/esp-alg-null/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-null/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-null/pretest.dat b/testing/tests/esp-alg-null/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/esp-alg-null/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-null/test.conf b/testing/tests/esp-alg-null/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-null/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-strict-fail/description.txt b/testing/tests/esp-alg-strict-fail/description.txt new file mode 100644 index 000000000..03c655480 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines +<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces +<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/esp-alg-strict-fail/evaltest.dat b/testing/tests/esp-alg-strict-fail/evaltest.dat new file mode 100644 index 000000000..6f2024ff9 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::YES +carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::YES +moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*ISAKMP SA established::NO +moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ae8d2b772 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha + esp=3des-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2dd1c763a --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha + esp=aes128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict-fail/posttest.dat b/testing/tests/esp-alg-strict-fail/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-strict-fail/pretest.dat b/testing/tests/esp-alg-strict-fail/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-strict-fail/test.conf b/testing/tests/esp-alg-strict-fail/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/esp-alg-strict-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/esp-alg-strict/description.txt b/testing/tests/esp-alg-strict/description.txt new file mode 100644 index 000000000..b4fc08253 --- /dev/null +++ b/testing/tests/esp-alg-strict/description.txt @@ -0,0 +1,7 @@ +Roadwarrior <b>carol</b> proposes <b>3DES</b> encryption (together with +SHA-1 authentication) in the first place and <b>AES-128</b> encryption in +second place for both the ISAKMP and IPsec SAs. Gateway <b>moon</b> defines +<b>ike=aes-128-sha</b> but will accept any other supported algorithm proposed +by the peer during Phase 1. But for ESP encryption <b>moon</b> enforces +<b>esp=aes-128-sha1!</b> by applying the strict flag '!'. + diff --git a/testing/tests/esp-alg-strict/evaltest.dat b/testing/tests/esp-alg-strict/evaltest.dat new file mode 100644 index 000000000..d5dd12d4e --- /dev/null +++ b/testing/tests/esp-alg-strict/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::IPSec Transform.*ESP_3DES (192), AUTH_ALGORITHM_HMAC_SHA1.*refused due to strict flag::YES +moon::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +moon::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES +carol::ipsec statusall::IKE algorithm newest: 3DES_CBC_192-SHA::YES +carol::ipsec statusall::ESP algorithm newest: AES_128-HMAC_SHA1::YES diff --git a/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5a14de070 --- /dev/null +++ b/testing/tests/esp-alg-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha,aes-128-sha + esp=3des-sha1,aes-128-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2dd1c763a --- /dev/null +++ b/testing/tests/esp-alg-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha + esp=aes128-sha1! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-strict/posttest.dat b/testing/tests/esp-alg-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-strict/pretest.dat b/testing/tests/esp-alg-strict/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/esp-alg-strict/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-strict/test.conf b/testing/tests/esp-alg-strict/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-strict/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/esp-alg-weak/description.txt b/testing/tests/esp-alg-weak/description.txt new file mode 100644 index 000000000..ffb6882f5 --- /dev/null +++ b/testing/tests/esp-alg-weak/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>1DES</b> encryption with MD5 authentication +as the only cipher suite for the IPsec SA. Because gateway <b>moon</b> does +not use an explicit <b>esp</b> statement any strong encryption algorithm will be +accepted but any weak key length will be rejected by default and thus the ISAKMP SA +is bound to fail. diff --git a/testing/tests/esp-alg-weak/evaltest.dat b/testing/tests/esp-alg-weak/evaltest.dat new file mode 100644 index 000000000..72b14e805 --- /dev/null +++ b/testing/tests/esp-alg-weak/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::NO +moon::cat /var/log/auth.log::IPSec Transform.*refused due to insecure key_len::YES +moon::cat /var/log/auth.log::no acceptable Proposal in IPsec SA::YES diff --git a/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf b/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b4f067b6d --- /dev/null +++ b/testing/tests/esp-alg-weak/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-md5-modp1024! + esp=des-md5! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf b/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..3f07213ae --- /dev/null +++ b/testing/tests/esp-alg-weak/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/esp-alg-weak/posttest.dat b/testing/tests/esp-alg-weak/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/esp-alg-weak/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/esp-alg-weak/pretest.dat b/testing/tests/esp-alg-weak/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/esp-alg-weak/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/esp-alg-weak/test.conf b/testing/tests/esp-alg-weak/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/esp-alg-weak/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/host2host-cert/description.txt b/testing/tests/host2host-cert/description.txt new file mode 100644 index 000000000..6be21bf8f --- /dev/null +++ b/testing/tests/host2host-cert/description.txt @@ -0,0 +1,4 @@ +A connection between the hosts <b>moon</b> and <b>sun</b> is successfully set up. +The authentication is based on X.509 certificates. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test the host-to-host tunnel <b>moon</b> pings <b>sun</b>. diff --git a/testing/tests/host2host-cert/evaltest.dat b/testing/tests/host2host-cert/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/host2host-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/host2host-cert/posttest.dat b/testing/tests/host2host-cert/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/host2host-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/host2host-cert/pretest.dat b/testing/tests/host2host-cert/pretest.dat new file mode 100644 index 000000000..3536fd886 --- /dev/null +++ b/testing/tests/host2host-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/host2host-cert/test.conf b/testing/tests/host2host-cert/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/host2host-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/host2host-swapped/description.txt b/testing/tests/host2host-swapped/description.txt new file mode 100644 index 000000000..34cfe43cc --- /dev/null +++ b/testing/tests/host2host-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test <a href="../host2host-cert/"><b>host2host-cert</b></a> but with +swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas +<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/host2host-swapped/evaltest.dat b/testing/tests/host2host-swapped/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/host2host-swapped/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..4b66a5ecb --- /dev/null +++ b/testing/tests/host2host-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-host + right=PH_IP_MOON + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightfirewall=yes + left=PH_IP_SUN + leftid=@sun.strongswan.org + auto=add diff --git a/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf b/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..a58894b33 --- /dev/null +++ b/testing/tests/host2host-swapped/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn host-host + right=PH_IP_SUN + rightnexthop=%direct + rightcert=sunCert.pem + rightfirewall=yes + rightid=@sun.strongswan.org + left=PH_IP_MOON + leftid=@moon.strongswan.org + auto=add diff --git a/testing/tests/host2host-swapped/posttest.dat b/testing/tests/host2host-swapped/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/host2host-swapped/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/host2host-swapped/pretest.dat b/testing/tests/host2host-swapped/pretest.dat new file mode 100644 index 000000000..e2d98f2eb --- /dev/null +++ b/testing/tests/host2host-swapped/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/host2host-swapped/test.conf b/testing/tests/host2host-swapped/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/host2host-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/host2host-transport/description.txt b/testing/tests/host2host-transport/description.txt new file mode 100644 index 000000000..fe3482c96 --- /dev/null +++ b/testing/tests/host2host-transport/description.txt @@ -0,0 +1,4 @@ +An IPsec <b>transport-mode</b> connection between the hosts <b>moon</b> and <b>sun</b> is +successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall +rules that let pass the decrypted IP packets. In order to test the host-to-host connection +<b>moon</b> pings <b>sun</b>. diff --git a/testing/tests/host2host-transport/evaltest.dat b/testing/tests/host2host-transport/evaltest.dat new file mode 100644 index 000000000..d19f970f2 --- /dev/null +++ b/testing/tests/host2host-transport/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::host-host.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::host-host.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf b/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..af5000fa8 --- /dev/null +++ b/testing/tests/host2host-transport/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + type=transport + auto=add diff --git a/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf b/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..10bea9847 --- /dev/null +++ b/testing/tests/host2host-transport/hosts/sun/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + auto=add + diff --git a/testing/tests/host2host-transport/posttest.dat b/testing/tests/host2host-transport/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/host2host-transport/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/host2host-transport/pretest.dat b/testing/tests/host2host-transport/pretest.dat new file mode 100644 index 000000000..e2d98f2eb --- /dev/null +++ b/testing/tests/host2host-transport/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/host2host-transport/test.conf b/testing/tests/host2host-transport/test.conf new file mode 100644 index 000000000..cf2e704fd --- /dev/null +++ b/testing/tests/host2host-transport/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ike-alg-sha2_512/description.txt b/testing/tests/ike-alg-sha2_512/description.txt new file mode 100644 index 000000000..1bec4b8c6 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/description.txt @@ -0,0 +1,4 @@ +Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the paranoid cipher suite +<b>AES_CBC_256-SHA2_512-MODP8192</b> for the IKE protocol and +<b>AES_256-HMAC_SHA2_256</b> for ESP packets. A ping from <b>carol</b> to +<b>alice</b> successfully checks the established tunnel. diff --git a/testing/tests/ike-alg-sha2_512/evaltest.dat b/testing/tests/ike-alg-sha2_512/evaltest.dat new file mode 100644 index 000000000..dbd35429c --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_256-SHA2_512-MODP8192::YES +moon::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +carol::ipsec statusall::ESP algorithm newest: AES_256-HMAC_SHA2_256::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES + diff --git a/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1f73cdc21 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes256-sha2_512-modp8192! + esp=aes256-sha2_256! +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..90911997e --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug="control crypt" + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes256-sha2_512-modp8192! + esp=aes256-sha2_256! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ike-alg-sha2_512/posttest.dat b/testing/tests/ike-alg-sha2_512/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ike-alg-sha2_512/pretest.dat b/testing/tests/ike-alg-sha2_512/pretest.dat new file mode 100644 index 000000000..7d077c126 --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ike-alg-sha2_512/test.conf b/testing/tests/ike-alg-sha2_512/test.conf new file mode 100644 index 000000000..a6c8f026c --- /dev/null +++ b/testing/tests/ike-alg-sha2_512/test.conf @@ -0,0 +1,22 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" + diff --git a/testing/tests/ike-alg-strict-fail/description.txt b/testing/tests/ike-alg-strict-fail/description.txt new file mode 100644 index 000000000..03c655480 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with SHA-1 authentication +as the only cipher suite for both the ISAKMP and IPsec SA. The gateway <b>moon</b> defines +<b>ike=aes-128-sha</b> only, but will accept any other support algorithm proposed by the peer, +leading to a successful negotiation of Phase 1. Because for Phase 2 <b>moon</b> enforces +<b>esp=aes-128-sha1!</b> by using the strict flag '!', the ISAKMP SA will fail. diff --git a/testing/tests/ike-alg-strict-fail/evaltest.dat b/testing/tests/ike-alg-strict-fail/evaltest.dat new file mode 100644 index 000000000..931b8855a --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::cat /var/log/auth.log::NO_PROPOSAL_CHOSEN::YES +moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::cat /var/log/auth.log::no acceptable Oakley Transform::YES diff --git a/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ae8d2b772 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha + esp=3des-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..85cd235dc --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict-fail/posttest.dat b/testing/tests/ike-alg-strict-fail/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ike-alg-strict-fail/pretest.dat b/testing/tests/ike-alg-strict-fail/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ike-alg-strict-fail/test.conf b/testing/tests/ike-alg-strict-fail/test.conf new file mode 100644 index 000000000..7e7848831 --- /dev/null +++ b/testing/tests/ike-alg-strict-fail/test.conf @@ -0,0 +1,21 @@ +##!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ike-alg-strict/description.txt b/testing/tests/ike-alg-strict/description.txt new file mode 100644 index 000000000..35d266e20 --- /dev/null +++ b/testing/tests/ike-alg-strict/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> proposes <b>3DES</b> encryption with <b>SHA-1</b> authentication in the first place +and <b>AES-128</b> encryption with <b>SHA-1</b> authentication in the second place for both the ISAKMP and IPsec SA. +The gateway <b>moon</b> enforces <b>ike=aes-128-sha!</b> for Phase 1 by using the strict flag '!', +but will accept any other supported algorithm proposed by the peer for Phase 2 , even though <b>moon</b> +defines itself <b>esp=aes-128-sha1</b> only. diff --git a/testing/tests/ike-alg-strict/evaltest.dat b/testing/tests/ike-alg-strict/evaltest.dat new file mode 100644 index 000000000..46140be8a --- /dev/null +++ b/testing/tests/ike-alg-strict/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::Oakley Transform.*OAKLEY_3DES_CBC (192), OAKLEY_SHA.*refused due to strict flag::YES +moon::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES +moon::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES +carol::ipsec statusall::IKE algorithm newest: AES_CBC_128-SHA::YES +carol::ipsec statusall::ESP algorithm newest: 3DES_0-HMAC_SHA1::YES diff --git a/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..5a14de070 --- /dev/null +++ b/testing/tests/ike-alg-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=3des-sha,aes-128-sha + esp=3des-sha1,aes-128-sha1 +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..85cd235dc --- /dev/null +++ b/testing/tests/ike-alg-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + ike=aes128-sha! + esp=aes128-sha1 + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightid=carol@strongswan.org + auto=add diff --git a/testing/tests/ike-alg-strict/posttest.dat b/testing/tests/ike-alg-strict/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/ike-alg-strict/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/ike-alg-strict/pretest.dat b/testing/tests/ike-alg-strict/pretest.dat new file mode 100644 index 000000000..f5aa989fe --- /dev/null +++ b/testing/tests/ike-alg-strict/pretest.dat @@ -0,0 +1,4 @@ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ike-alg-strict/test.conf b/testing/tests/ike-alg-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ike-alg-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/mode-config-swapped/description.txt b/testing/tests/mode-config-swapped/description.txt new file mode 100644 index 000000000..e29e6f654 --- /dev/null +++ b/testing/tests/mode-config-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test <a href="../mode-config/"><b>mode-config</b></a> but with +swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas +<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/mode-config-swapped/evaltest.dat b/testing/tests/mode-config-swapped/evaltest.dat new file mode 100644 index 000000000..be8ca6ef5 --- /dev/null +++ b/testing/tests/mode-config-swapped/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES diff --git a/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..bee23f4df --- /dev/null +++ b/testing/tests/mode-config-swapped/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_CAROL + rightsourceip=%modeconfig + rightnexthop=%direct + rightcert=carolCert.pem + rightid=carol@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..698cd9673 --- /dev/null +++ b/testing/tests/mode-config-swapped/hosts/dave/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_DAVE + rightsourceip=%modeconfig + rightnexthop=%direct + rightcert=daveCert.pem + rightid=dave@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b9e401080 --- /dev/null +++ b/testing/tests/mode-config-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightsourceip=PH_IP1_MOON + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightfirewall=yes + +conn rw-carol + left=%any + leftid=carol@strongswan.org + leftsourceip=PH_IP1_CAROL + auto=add + +conn rw-dave + left=%any + leftid=dave@strongswan.org + leftsourceip=PH_IP1_DAVE + auto=add diff --git a/testing/tests/mode-config-swapped/posttest.dat b/testing/tests/mode-config-swapped/posttest.dat new file mode 100644 index 000000000..932b319a7 --- /dev/null +++ b/testing/tests/mode-config-swapped/posttest.dat @@ -0,0 +1,11 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +dave::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 +dave::ip addr del PH_IP1_DAVE/32 dev eth0 diff --git a/testing/tests/mode-config-swapped/pretest.dat b/testing/tests/mode-config-swapped/pretest.dat new file mode 100644 index 000000000..1e45f00fd --- /dev/null +++ b/testing/tests/mode-config-swapped/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/mode-config-swapped/test.conf b/testing/tests/mode-config-swapped/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/mode-config-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/mode-config/description.txt b/testing/tests/mode-config/description.txt new file mode 100644 index 000000000..3e67f83f1 --- /dev/null +++ b/testing/tests/mode-config/description.txt @@ -0,0 +1,7 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +Both <b>carol</b> and <b>dave</b> request a <b>virtual IP</b> via the IKE Mode Config protocol +by using the <b>leftsourceip=%modeconfig</b> parameter. <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. In order to test the +tunnels, <b>carol</b> and <b>dave</b> then ping the client <b>alice</b> behind the gateway +<b>moon</b>. The source IP addresses of the two pings will be the virtual IPs <b>carol1</b> +and <b>dave1</b>, respectively. diff --git a/testing/tests/mode-config/evaltest.dat b/testing/tests/mode-config/evaltest.dat new file mode 100644 index 000000000..be8ca6ef5 --- /dev/null +++ b/testing/tests/mode-config/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES diff --git a/testing/tests/mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/mode-config/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..598997b45 --- /dev/null +++ b/testing/tests/mode-config/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/mode-config/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..da601389c --- /dev/null +++ b/testing/tests/mode-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/mode-config/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..49333e217 --- /dev/null +++ b/testing/tests/mode-config/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP1_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP1_CAROL + auto=add + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP1_DAVE + auto=add diff --git a/testing/tests/mode-config/posttest.dat b/testing/tests/mode-config/posttest.dat new file mode 100644 index 000000000..932b319a7 --- /dev/null +++ b/testing/tests/mode-config/posttest.dat @@ -0,0 +1,11 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +dave::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 +dave::ip addr del PH_IP1_DAVE/32 dev eth0 diff --git a/testing/tests/mode-config/pretest.dat b/testing/tests/mode-config/pretest.dat new file mode 100644 index 000000000..1e45f00fd --- /dev/null +++ b/testing/tests/mode-config/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/mode-config/test.conf b/testing/tests/mode-config/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/mode-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/multi-level-ca-ldap/description.txt b/testing/tests/multi-level-ca-ldap/description.txt new file mode 100644 index 000000000..18fb88840 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/description.txt @@ -0,0 +1,11 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of two different Intermediate CAs. Access to +<b>alice</b> is granted to users presenting a certificate issued by the Research CA +whereas <b>venus</b> can only be reached with a certificate issued by the +Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from +the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access +<b>alice</b> and <b>dave</b> can reach <b>venus</b>. +<p> +By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and +Sales CAs must be fetched from the LDAP server <b>winnetou</b> first, before the +connection setups can be successfully completed. diff --git a/testing/tests/multi-level-ca-ldap/evaltest.dat b/testing/tests/multi-level-ca-ldap/evaltest.dat new file mode 100644 index 000000000..f504706e2 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/evaltest.dat @@ -0,0 +1,13 @@ +moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES +dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::Trying LDAP URL::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..222c3cf67 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..bfa0ebba3 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..8de514a2e --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e2b60589b --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,47 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +ca research + cacert=researchCert.pem + crluri="ldap://ldap.strongswan.org/cn=Research CA, ou=Research, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +ca sales + cacert=salesCert.pem + crluri="ldap://ldap.strongswan.org/cn=Sales CA, ou=Sales, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-ldap/posttest.dat b/testing/tests/multi-level-ca-ldap/posttest.dat new file mode 100644 index 000000000..e618fc419 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/posttest.dat @@ -0,0 +1,8 @@ +moon::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* +winnetou::/etc/init.d/slapd stop +moon::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/multi-level-ca-ldap/pretest.dat b/testing/tests/multi-level-ca-ldap/pretest.dat new file mode 100644 index 000000000..322f42102 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/pretest.dat @@ -0,0 +1,10 @@ +winnetou::/etc/init.d/slapd start +moon::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/multi-level-ca-ldap/test.conf b/testing/tests/multi-level-ca-ldap/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/multi-level-ca-ldap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/multi-level-ca-loop/description.txt b/testing/tests/multi-level-ca-loop/description.txt new file mode 100644 index 000000000..9b63c2c66 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/description.txt @@ -0,0 +1,6 @@ +The roadwarrior <b>carol</b>, possessing a certificate issued by the +Research CA, tries to set up a tunnel to gateway <b>moon</b>. +The Research CA's certificate is signed by the Sales CA and +the Sales CA's certificate in turn is signed by the Research CA. +This leads to an endless trust path loop but which is aborted by +<b>moon</b> when the path level reaches a depth of 7 iterations. diff --git a/testing/tests/multi-level-ca-loop/evaltest.dat b/testing/tests/multi-level-ca-loop/evaltest.dat new file mode 100644 index 000000000..781a7b4ac --- /dev/null +++ b/testing/tests/multi-level-ca-loop/evaltest.dat @@ -0,0 +1,3 @@ +moon::cat /var/log/auth.log::maximum ca path length of 7 levels exceeded::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c56678b59 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..343042f15 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem new file mode 100644 index 000000000..efb939e3a --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT +CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf +rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID +BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx +4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q +m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha +/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM +x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB +AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr +Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup +Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg +pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL +rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S +uaJ2yDwEhOHn3ihb1bqlanM= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem new file mode 100644 index 000000000..90e207c4b --- /dev/null +++ b/testing/tests/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx +MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH +/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq +4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 +XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 +kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj +gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 +p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD +ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO +clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB +b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI +koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf +Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA +/szZoxwnE2iHtIoMAhfHZpRvOkg= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-loop/posttest.dat b/testing/tests/multi-level-ca-loop/posttest.dat new file mode 100644 index 000000000..076f51f4d --- /dev/null +++ b/testing/tests/multi-level-ca-loop/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/multi-level-ca-loop/pretest.dat b/testing/tests/multi-level-ca-loop/pretest.dat new file mode 100644 index 000000000..0a0ec22bf --- /dev/null +++ b/testing/tests/multi-level-ca-loop/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/ipsec.d/cacerts/strongswanCert.pem +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice diff --git a/testing/tests/multi-level-ca-loop/test.conf b/testing/tests/multi-level-ca-loop/test.conf new file mode 100644 index 000000000..3189fdfc7 --- /dev/null +++ b/testing/tests/multi-level-ca-loop/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/multi-level-ca-revoked/description.txt b/testing/tests/multi-level-ca-revoked/description.txt new file mode 100644 index 000000000..c91ac285b --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/description.txt @@ -0,0 +1,4 @@ +The roadwarrior <b>carol</b> possesses a certificate issued by the Research CA. +The certificate of the Research CA has been revoked by the Root CA by entering +the serial number in the CRL. Therefore upon verification of the trust path +the gateway <b>moon</b> will reject the roadwarrior's certificate diff --git a/testing/tests/multi-level-ca-revoked/evaltest.dat b/testing/tests/multi-level-ca-revoked/evaltest.dat new file mode 100644 index 000000000..0fd1cae8c --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listcrls:: ok::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..6d0aee86a --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..fac55d63b --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..39a298de9 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add diff --git a/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..c380a5110 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDDANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjUzNloXDTE0MDMyMTA2MjUzNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAA4jpa5Vc/q94/X1 +LAHO2m7v2AFPl68SwspZLbCL7Le+iv5BUQ814Y9qCXMySak+NpZ5RLzm/cC+3GCa +6eyozhZnS5LDxIgtStXWaC3vIQKQhJMwnc43RgcqneqqS5/H5zNXz/f0g/bRG8bN +T6nO0ZRdpy8Zu0+fH3f/u9/sQPRX3iNL/rd3x/UVLoowkQHdKzZfjcrFm+8CPl4r +9xOKjzC6epPY2ApfXmLodd0zemf84CKSJCXfkVlk0cYw1YLKUINnHToFfDAw0kCL +cVc7wHWZlzSVSE3u0PYXVssnsm08RWqAGPL3TO09fnUntNMzlIxNpOTuWsKVXZPq +YO2C4HE= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-revoked/posttest.dat b/testing/tests/multi-level-ca-revoked/posttest.dat new file mode 100644 index 000000000..f84b7e37b --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/multi-level-ca-revoked/pretest.dat b/testing/tests/multi-level-ca-revoked/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/multi-level-ca-revoked/test.conf b/testing/tests/multi-level-ca-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/multi-level-ca-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/multi-level-ca-strict/description.txt b/testing/tests/multi-level-ca-strict/description.txt new file mode 100644 index 000000000..32413e3de --- /dev/null +++ b/testing/tests/multi-level-ca-strict/description.txt @@ -0,0 +1,10 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of two different Intermediate CAs. Access to +<b>alice</b> is granted to users presenting a certificate issued by the Research CA +whereas <b>venus</b> can only be reached with a certificate issued by the +Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from +the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access +<b>alice</b> and <b>dave</b> can reach <b>venus</b>. +<p> +By setting <b>strictcrlpolicy=yes</b> the CRLs from the strongSwan, Research and +Sales CAs must be fetched first, before the connection setups can be successfully completed. diff --git a/testing/tests/multi-level-ca-strict/evaltest.dat b/testing/tests/multi-level-ca-strict/evaltest.dat new file mode 100644 index 000000000..5a181a62d --- /dev/null +++ b/testing/tests/multi-level-ca-strict/evaltest.dat @@ -0,0 +1,12 @@ +moon::cat /var/log/auth.log::PH_IP_CAROL.*X.509 certificate rejected::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::PH_IP_DAVE.*X.509 certificate rejected::YES +dave::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..de179c565 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..2fb6a301e --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6ed262d20 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-strict/posttest.dat b/testing/tests/multi-level-ca-strict/posttest.dat new file mode 100644 index 000000000..1646d5ed2 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/multi-level-ca-strict/pretest.dat b/testing/tests/multi-level-ca-strict/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/multi-level-ca-strict/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/multi-level-ca-strict/test.conf b/testing/tests/multi-level-ca-strict/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/multi-level-ca-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/multi-level-ca/description.txt b/testing/tests/multi-level-ca/description.txt new file mode 100644 index 000000000..64825cb30 --- /dev/null +++ b/testing/tests/multi-level-ca/description.txt @@ -0,0 +1,7 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of two different Intermediate CAs. Access to +<b>alice</b> is granted to users presenting a certificate issued by the Research CA +whereas <b>venus</b> can only be reached with a certificate issued by the +Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from +the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access +<b>alice</b> and <b>dave</b> can reach <b>venus</b>. diff --git a/testing/tests/multi-level-ca/evaltest.dat b/testing/tests/multi-level-ca/evaltest.dat new file mode 100644 index 000000000..72f620b8e --- /dev/null +++ b/testing/tests/multi-level-ca/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES +moon::cat /var/log/auth.log::alice.*we have a cert and are sending it upon request::YES +dave::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES +moon::cat /var/log/auth.log::venus.*we have a cert and are sending it upon request::YES +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..e851a82f0 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftsendcert=ifasked + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 000000000..2990d6a12 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIELDCCAxSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDMyMzA3MDQyM1oXDTEwMDMyMjA3MDQy +M1owWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1ID41edDUgUjR +dZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh8ZcR+TT8x0mO +dYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+DJl9XK9TtId5u +57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yqGdPWODaN/Enw +5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1aX7+M+IeYVwjI +hzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4FjR8nhH4ApYMC +AwEAAaOCAQQwggEAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSL +qNn96rsWg0kOJY/cyXD2JpnPIjBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDDAfBgNVHREEGDAWgRRj +YXJvbEBzdHJvbmdzd2FuLm9yZzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3Js +LnN0cm9uZ3N3YW4ub3JnL3Jlc2VhcmNoLmNybDANBgkqhkiG9w0BAQUFAAOCAQEA +FNPepmta0ac9TWe7Gl31fKkuf6ZiQftMwx/uq6PoX9PBVGeooktJMo+EiROQhL3N +Zomtl2nLfxYruXPHa7YaMWyv4+3NkV9p7jseC1K/2lCXipY4Vp8u14hqlRLCTejp +7uC/0+628e+qXlCm8wafDb9/JXzQar7rADhoLp7gJKI2PKMAzLUP2xZVzY5zx57G ++OCR/ZXonVeAPy9/0g9N8uQzJEXOVZYMjsoRra9rdlvnY1DgDoAK7QvJMC4VzENm +wKmz2rPrBlKaEcivubg7dwPMGNmb3f7F7w0HHuRbQd5Y0nDfEWBKCp0bVx1GLc7/ +MWjwPJs52qVJ3Ph++EF6bw== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 000000000..b91f9bf81 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEogIBAAKCAQEAz6hOJXuUKHUgPjV50NSBSNF1nAQw8EAzXEOqjEnEgmm6DxQi +65QvRO9Cdnhnl9r/1A00KRDsUOHxlxH5NPzHSY51hgDveYxCJzSfg7nsX6z+URIq +8ig368gNHesYkG/2tjO1Lg4MT4MmX1cr1O0h3m7nuN9e7+TchiXkZ5Dd/6JzaXY6 +VrvS3vQ6npwUNkiE4KOzbFbDbKoZ09Y4No38SfDl84u/+ib7sccHgqA8a/iniiFY +hQKjZcrn3siL6MHYx05SUbzf/Vpfv4z4h5hXCMiHNaPBFB8zPQBCFrQdg3hy+tnu +y1SW4zF7CwJE4IHNwZBhNnFhTgWNHyeEfgClgwIDAQABAoIBAHXoftbRoIKIXtJz +0sM8plwOctUvnAoOqhsNYN1fVXEnTzoYmOtirKRbpkVWgJu9Ad4J0UAwF76lTGQX +FIV9sjqV5S09grxlY3qXaquE+i4pMA4gXro5E+eRI8GFJ+F7cX5rRcjsuRi8wyEH +gh/YtY5zMqfKTUGxlXWmNlaH70WilianuMPNXwaKgyBGcfZdheyUggM0rYEJrG1Z +PZqNo0JKfeI4htpENDp0k1xJ9lCjIqdNw0ZjBi+pL6hF5PYaPjlVC2yn5CzRaT1D +nUeKUK+SVES4sPrEQtaOlk86uZC4pIz5IlEoSvaw/Yo3Gk1sQKIQMMh1crhHd0El +U831KwECgYEA7fQY+aFk3fHabwgf9gjuPKgwetVQ8jNDWUiSqffHUC0AQfKZQQsF +mXJeSRZomPCWG3DRz1EcqXr9f82bN295I0CI6foXZgKUmjed7Bohc0HvUqNOi2qm +MdbdWBOaH4RBzi1fAENJZnprmq65jQ/tkfCwqIz4KaLt+8xiWmU2h6ECgYEA32gB +UbCzs1LoJC03uGHqZFRWK/YNKOKBUw58XCnzPTA+34UupI88lPj8LD269tDtruRy +G7wt4HjayPKtK430nKAl01IXq6ULBTByu3KrCOm/gTAycVMj4ZimTn7Qu9jyv4Lz +Ka3rBQxB+yQWfn27dc7U+EBsA7PT53NR6Zl8CqMCgYALJYod93+AHho7ZUgKAHUY +hlBvEJsQHXKkNhAYwjCmAtWmQTUIpPmILKFaDyCrOWnusyRA7+3FyqshV4JT4Hbu +PdGsFDkQYEKRztUpADhc69PILTo6sa5DW2tW+uQXYdyrSdjPbFd943Iy9sheYUah +tYKxApmFacp4JyTcUy1wwQKBgA44xLy6jvX/dR+4cS+frBgu9j1eMIBFyw3Kgkgr +s3xVserww4NeSvEA2KzIUTqdGkRj7o+tbw43I1ZffH6lTskZuM63DyKyIv11lBgy +uIicuMA0nUFxlXsrCIs+r3MF4I4oe+pPVALCQQEHzxbGUkSxogUbtMSXkgnN4Y0J +ZEgZAoGAfo0nv/IeKi0KkKiPTQSGVWGAQyCpGE0UQ2RYYToT84kjXs+LrVGFH2lu +LJvyYnSnM7eKqCFKh+kLQ3bezum56y5XTyAEipTmu7Lhp0CiVjSdnu+0QykmhKsx +Z17Ut2ryGKOXySnlMNual4eCLq98o0iOcYPq08V6x33dhK7Z3kU= +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..458a4ca5e --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + leftsendcert=ifasked + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem new file mode 100644 index 000000000..b76032480 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/certs/daveCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEHDCCAwSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTA1MDMyMzA3MTAxN1oXDTEwMDMyMjA3MTAxN1owVjEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsT +BVNhbGVzMRwwGgYDVQQDFBNkYXZlQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG +9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GS +zZwo/q4AE4v6OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+ +1V42Qkh61VJW1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJN +P3p8wUpfwReImAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1+ ++eTSMvLXSkQeujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSP +aSRhuz0gubuMpr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABo4H/MIH8 +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBSCy57rUdNRbytUkRGY +GjmjvXfIszBtBgNVHSMEZjBkgBRfmxNG+SByyADViLWnTC6X6guTKKFJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBDTAeBgNVHREEFzAVgRNkYXZlQHN0cm9uZ3N3 +YW4ub3JnMDQGA1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwuc3Ryb25nc3dhbi5v +cmcvc2FsZXMuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQB+BknSxFKaDhbRVobOAU2P +p9cirkVCitoZrvK2QIS/7WRoqy85RQ+zorJb3jyTxQl4Pu9Qrap9Zn0H8GQXGlQw +ZJqdDqRaIa4nCc57qP5DsuQKIQRxc1QMCiWyIRAESn+r8IbxLbjvEd7ZXNsieip6 +Q15uUZldjTveHVi89i9oFWS1nWo4SV+tJaEqPBvsTZZKBPAEu6+7lRzbJ4ukzRsA +DjuvmaPNUTyf21fD66I4sgrwgxoPhZ7r6qsqISJ5f0EzTXgYNi1yk/TXoAaot3c/ +Gu5+iyO/espV6kPADSOzPSFwsGHYG4kXi1VY0Z7x6UnjQSdEelOBplJ5XYDzEn4+ +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem new file mode 100644 index 000000000..022436de4 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/dave/etc/ipsec.d/private/daveKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAyqAR0itGIuSt/RR8IHjFTLH/lywprmHUw0GSzZwo/q4AE4v6 +OeWRG3JUUg44K40yBwr7zvcsLztRTfbNqlt7o+Hjpo3kz0AMwDo+1V42Qkh61VJW +1P0NQvkgjiQn+ElSMg1u3uiYCIMAhYMYo2ZMKxHXxRqjU79AVuJNP3p8wUpfwReI +mAy3/n685YbSzWcbPqCfjRH/YrnYS8Ga7m/QzdNfrtxhAWAGow1++eTSMvLXSkQe +ujU6OCJNOPUNB3nnJ1IoZrQm8wNP8Y5B5HzvOSyFEvNuHFc63gSPaSRhuz0gubuM +pr1d9Rgjny8JgsfCEbOktlKwnbFeSB8AAgVMjwIDAQABAoIBAHKaRFoVpa6Ynpu0 +mVwYUqdFSaVsEgsSRC9HiEuIllsteNeVZSqX4BGhAXYDmttvGauIF9IAVNpF939c +JwjCg1S2r3aFbLOXq16R0vYFOjUVH3xF/NysX3LQywv6AS1Z8wZiOKIU9eBij8nz +0tygQFZf2iUeIuB8HFzH1B8iHSuI7qn6hh1Y9Zgx4kWYL9I+WYefbR906xveHVGq +8VrgHtBAn1WeWg7FoN1VURW0s1bxkiWtpF9x9OMmwK4qR8HSCilss59V1eJrAAR0 +3FGdWwbbGg9hW0adnyDCtoaYW3r0WcXwqklyas4C+dClOpUInn8kZisoghQYT92u +U2QeDzECgYEA5Rv7+rP9HX1pNd9NQwOyIHztv4jfx60gybioogtCeRZUwPQ3GtXJ +Q0ouBxCVLdyCImIKcvd2q2b9HZE8tvOHBA/YxofH4miEN5GWA4aL+LcGrxIbxPWs +MEkxgQwsyK7lWH47fG7eW86LMx0VikFXS1EeeZZS3f3Avaww1uRtXecCgYEA4mhS +sAClZamGVWQ7VXCHuS4xHn/gPA4TCyoR5l9g9pwregGKxsROQVIFQCDMd9eTtS6B +oqoUTHdg0TlujHVUojdwHtgDaqDMTk+RXD9qy2Wob9HQVBlIwgijoLb+OjwdoAj7 +1OQx8FmMjAlMmlyJ50e1FnbNJFEJ1EMgV5QxtxkCgYEArdUeyehYy1BFTJ/CIm+i +bm37gdDbYchlUUivgkuiwvcDlWd2jADbdRfKdofJeIOPpYDXxsUmIATDVfTFqVZ7 +AcT4SCHrskh00SjANqqWdz5/bsQBl96DKBvQ2MYhEJ9K2mrkvZPtWKENEtolZsIO +9tF0mvJIq7CF1iPY5qNoq88CgYEAoZhELErJwl3U+22my7ydopZNiK9MpJCHFxjX +3c2Fr36XqWUgX+4MzKJ2DOdcCM1dJ5wh+q/Z/RnXiH2tYaL83SskY19aUOij6eDw +px68YqAUMHtYbi39uD/iSftSSM5PdsHyvGiDHEFOB0U735Dc/K45mecBVEJi+ZVP +qDKlqUECgYA1DcGOWM3P3XdB7zKy47LcankMtFZozEOLTUdGJRlmWrLdcRlZPKjt +/ALripehesp1++VtmttWQJX7uI3gveD07/tSKeMHmIoKappjRTrcaA7Pa5+z/xS/ +UhRmZUFOJwNLzy3jdv5f2c/5SIz6o4Ae3I+Zb+IapHL+lBv146/I5g== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e60bbc016 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +ca strongswan + cacert=strongswanCert.pem + crluri=http://crl.strongswan.org/strongswan.crl + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftsendcert=ifasked + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Research CA" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA" + auto=add + diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 000000000..154cff654 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem new file mode 100644 index 000000000..e50477872 --- /dev/null +++ b/testing/tests/multi-level-ca/hosts/moon/etc/ipsec.d/cacerts/salesCert.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDuzCCAqOgAwIBAgIBDTANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDMyMzA2MjkxNloXDTE0MDMyMTA2MjkxNlowSzELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAMBgNVBAsTBVNhbGVz +MREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH/QcWm1Xfqnc9qaPP +GoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq4JI87exSen1ggmCV +Eib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6XL9DKcRk3TxZtv9S +uDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562kDtfQdwezat0LAyO +sVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAjgbBRI1A3iqoU3Nq1 +vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOBrzCBrDAPBgNVHRMBAf8EBTADAQH/ +MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1p0wul+oLkygwbQYD +VR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNVBAYTAkNI +MRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJvbmdTd2Fu +IFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEFBQADggEBAJ7j3X20Q8ICJ2e+iUCpVUIV +8RudUeHt9qjSXalohuxxhegL5vu7I9Gx0H56RE4glOjLMCb1xqVZ55Odxx14pHaZ +9iMnQFpgzi96exYAmBKYCHl4IFix2hrTqTWSJhEO+o+PXnQTgcfG43GQepk0qAQr +iZZy8OWiUhHSJQLJtTMm4rnYjgPn+sLwx7hCPDZpHTZocETDars7wTiVkodCbeEU +uKahAbq4b6MvvC3+7quvwoEpAEStT7+Yml+QuK/jKmhjX0hcQcw4ZWi+m32RjUAv +xDJGEvBqV2hyrzRqwh4lVNJEBba5X+QB3N6a0So6BENaJrUM3v8EDaS2KLUWyu0= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca/posttest.dat b/testing/tests/multi-level-ca/posttest.dat new file mode 100644 index 000000000..1646d5ed2 --- /dev/null +++ b/testing/tests/multi-level-ca/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* + diff --git a/testing/tests/multi-level-ca/pretest.dat b/testing/tests/multi-level-ca/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/multi-level-ca/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/multi-level-ca/test.conf b/testing/tests/multi-level-ca/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/multi-level-ca/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/nat-one-rw/description.txt b/testing/tests/nat-one-rw/description.txt new file mode 100644 index 000000000..c3b9bb820 --- /dev/null +++ b/testing/tests/nat-one-rw/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>alice</b> sitting behind the NAT router <b>moon</b> sets up a tunnel to +gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, the NAT-ed host <b>alice</b> pings the +client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/nat-one-rw/evaltest.dat b/testing/tests/nat-one-rw/evaltest.dat new file mode 100644 index 000000000..bc193963d --- /dev/null +++ b/testing/tests/nat-one-rw/evaltest.dat @@ -0,0 +1,5 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/nat-one-rw/posttest.dat b/testing/tests/nat-one-rw/posttest.dat new file mode 100644 index 000000000..af8e00575 --- /dev/null +++ b/testing/tests/nat-one-rw/posttest.dat @@ -0,0 +1,8 @@ +alice::iptables -v -n -L +sun::iptables -v -n -L +alice::ipsec stop +sun::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F + diff --git a/testing/tests/nat-one-rw/pretest.dat b/testing/tests/nat-one-rw/pretest.dat new file mode 100644 index 000000000..9dacc672c --- /dev/null +++ b/testing/tests/nat-one-rw/pretest.dat @@ -0,0 +1,10 @@ +alice::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +sun::ipsec start +alice::sleep 5 +alice::ipsec up nat-t + diff --git a/testing/tests/nat-one-rw/test.conf b/testing/tests/nat-one-rw/test.conf new file mode 100644 index 000000000..d84149aaf --- /dev/null +++ b/testing/tests/nat-one-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice sun" diff --git a/testing/tests/nat-two-rw/description.txt b/testing/tests/nat-two-rw/description.txt new file mode 100644 index 000000000..dcf4b94bd --- /dev/null +++ b/testing/tests/nat-two-rw/description.txt @@ -0,0 +1,5 @@ +The roadwarriors <b>alice</b> and <b>venus</b> sitting behind the NAT router <b>moon</b> set up +tunnels to gateway <b>sun</b>. UDP encapsulation is used to traverse the NAT router. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, the NAT-ed hosts <b>alice</b> and <b>venus</b> +ping the client <b>bob</b> behind the gateway <b>sun</b>. diff --git a/testing/tests/nat-two-rw/evaltest.dat b/testing/tests/nat-two-rw/evaltest.dat new file mode 100644 index 000000000..b1a7d59ee --- /dev/null +++ b/testing/tests/nat-two-rw/evaltest.dat @@ -0,0 +1,9 @@ +alice::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::nat-t.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::nat-t.*STATE_QUICK_R2.*IPsec SA established::YES +sun::ipsec status::nat-t.*alice@strongswan.org::YES +sun::ipsec status::nat-t.*@venus.strongswan.org::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.*: UDP::YES diff --git a/testing/tests/nat-two-rw/posttest.dat b/testing/tests/nat-two-rw/posttest.dat new file mode 100644 index 000000000..f019842ed --- /dev/null +++ b/testing/tests/nat-two-rw/posttest.dat @@ -0,0 +1,11 @@ +alice::iptables -v -n -L +venus::iptables -v -n -L +sun::iptables -v -n -L +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F + diff --git a/testing/tests/nat-two-rw/pretest.dat b/testing/tests/nat-two-rw/pretest.dat new file mode 100644 index 000000000..dd5259936 --- /dev/null +++ b/testing/tests/nat-two-rw/pretest.dat @@ -0,0 +1,13 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source PH_IP_MOON:1024-1100 +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 5 +alice::ipsec up nat-t +venus::sleep 5 +venus::ipsec up nat-t diff --git a/testing/tests/nat-two-rw/test.conf b/testing/tests/nat-two-rw/test.conf new file mode 100644 index 000000000..84317fd70 --- /dev/null +++ b/testing/tests/nat-two-rw/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/net2net-cert/description.txt b/testing/tests/net2net-cert/description.txt new file mode 100644 index 000000000..7eea9192f --- /dev/null +++ b/testing/tests/net2net-cert/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-cert/evaltest.dat b/testing/tests/net2net-cert/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-cert/posttest.dat b/testing/tests/net2net-cert/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-cert/pretest.dat b/testing/tests/net2net-cert/pretest.dat new file mode 100644 index 000000000..9f60760c6 --- /dev/null +++ b/testing/tests/net2net-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-cert/test.conf b/testing/tests/net2net-cert/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/net2net-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-pgp/description.txt b/testing/tests/net2net-pgp/description.txt new file mode 100644 index 000000000..c85f2e5d0 --- /dev/null +++ b/testing/tests/net2net-pgp/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>OpenPGP keys</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-pgp/evaltest.dat b/testing/tests/net2net-pgp/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-pgp/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e7de6cf0b --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.asc + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightcert=sunCert.asc + auto=add diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc new file mode 100644 index 000000000..6524773e0 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.d/private/moonKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +AAP9Fj7OaaCfTL3Met8yuS8ZGMDL/fq+4f2bM+OdPSgD4N1Fiye0B1QMCVGWI1Xd +JXS0+9QI0A3iD12YAnYwsP50KmsLHA69AqchN7BuimoMfHDXqpTSRW57E9MCEzQ9 +FFN8mVPRiDxAUro8qCjdHmk1vmtdt/PXn1BuXHE36SzZmmMCANBA4WHaO6MJshM6 +7StRicSCxoMn/lPcj6rfJS4EaS+a0MwECxKQ3HKTpP3/+7kaWfLI/D65Xmi3cVK3 +0CPwUK8CAP2RYWoBZPSA8dBGFYwR7W6bdNYhdmGmsVCaM7v4sVr0FwHwMERadByN +8v0n5As3ZbrCURRp68wuE+JjfOM5mO8CAM3ZK7AVlBOqkoI3X3Ji3yviLlsr2ET7 +QrVKFQBq7eUhwYFo6mVemEqQb61tGirq+qL4Wfk/7+FffZPsUyLX1amfjLQabW9v +biA8bW9vbi5zdHJvbmdzd2FuLm9yZz4= +=YFQm +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..afb1ff927 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.asc diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..5dd8a8587 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftcert=sunCert.asc + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=moonCert.asc + auto=add diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc new file mode 100644 index 000000000..135cfaec0 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/moonCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/613A3B61 2005/08/07 moon <moon.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2KI8AAAEEAM5GYrwuf1M9Cv7+Yfr6i5+17zMVGIyj/D4+msK43iUbEH61 ++bhRKcrF+9NKvM+ujjZoUbfGjUipsBbTlPTaY7muZ9KaVy2OBHm73x13eiemkPS9 +RFWesrL9L39aBO5K47ti0PwRP8QIPMaNWMs2z7yoZLE/flVNQfWsCnlhOjthAAUR +tBptb29uIDxtb29uLnN0cm9uZ3N3YW4ub3JnPokAlQMFEEL2KI/1rAp5YTo7YQEB +vX4EAKtr0e6WMDIRlpE4VhhdQ7AgBgGyhgfqAdD9KDx8o4fG4nkmh7H1bG/PLJA1 +f+UfDGnOyIwPOrILNyNnwAbDHXjJaNylahM7poOP7i0VlbhZPLAC0cSQi02/Zrac +t5bED5tHSrNSjcA/CjuxRuu9lmR6s57IQnQnwt9I4LTM+CFP +=oaBj +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc new file mode 100644 index 000000000..32f204b10 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/certs/sunCert.asc @@ -0,0 +1,15 @@ +Type Bits/KeyID Date User ID +pub 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: 2.6.3i + +mQCNA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +tBhzdW4gPHN1bi5zdHJvbmdzd2FuLm9yZz6JAJUDBRBC9ipvHSlWl3mUmt0BAUZR +A/43nuZbxADMSviu54Mj8pvQbYeGLQVabiWT6h7L0ZPX4MWpFH3dTixBfRrZRSsj +0AgiMMuZAMebfOe+Xf9uDQv7p1yumEiNg43tg85zyawkARWNTZZ04woxtvAqNwXn +lQotGz7YA6JMxry9RQo5yI4Y4dPnVZ/o8eDpP0+I88cOhQ== +=lLvB +-----END PGP PUBLIC KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc new file mode 100644 index 000000000..de2393649 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.d/private/sunKey.asc @@ -0,0 +1,19 @@ +Type Bits/KeyID Date User ID +sec 1024/79949ADD 2005/08/07 sun <sun.strongswan.org> + +-----BEGIN PGP SECRET KEY BLOCK----- +Version: 2.6.3i + +lQHYA0L2Km8AAAEEANRAVMn8HBxfYaGhLqtQ3IZJArn9wpcQ+7sH/F9PaXIjzHRQ +rfFkfmxxp9lVjCk0LM/BnnlnUmyz6F8K7V0Gi40Am4+ln1zHvZZIQJYGrDhDnjb7 +I5TVeD4Ib5bQ1CoUbIhv2LocCeR6OjefQgGmerC5RQ3d5ci7uB0pVpd5lJrdAAUR +AAP8DHxBOQ7UeiO6cutdGSLfy6nxGf/eRR8d3dNLFKpRfy9IQxPN/yQHb8pzSQUI +Pqi3V4PcJUJQJIMNqzzgyTyey/OdTc+IFngywRGKQowyD7vY+urVbcEDHe+sRTL1 +GvrsQGMZoXNDimABHn5NbT6Pc06xQ9rNvpCSyHMyzcylpk0CANqf96aEaryGJozg +vSN5GlS77rPJ9Y9mU2EJs1+0BlMcb7Sy4HN2RRc/V56ZmlW2m3UbGwPqG8R9XQQ2 +LO03bTcCAPiJbTcRdA/YnZExbZPgEnV5nq8tVXTc7bz1Sw7ZWRef0iZyIQEXbwLn +2Z2EJik9bQpkcVJSBV17cH7Av/VdIosCAKJPVoBETiVzWejIpGHHqbnmZC8P9rUs +xAXZbNukbL3YElLeopNMyddTi6kf45/m0sb7fr7rzW/OJ7WP8mDrGPec4rQYc3Vu +IDxzdW4uc3Ryb25nc3dhbi5vcmc+ +=DwEu +-----END PGP SECRET KEY BLOCK----- diff --git a/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..ee98b1611 --- /dev/null +++ b/testing/tests/net2net-pgp/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.asc diff --git a/testing/tests/net2net-pgp/posttest.dat b/testing/tests/net2net-pgp/posttest.dat new file mode 100644 index 000000000..80e765dfc --- /dev/null +++ b/testing/tests/net2net-pgp/posttest.dat @@ -0,0 +1,10 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +sun::rm /etc/ipsec.d/certs/* +sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/net2net-pgp/pretest.dat b/testing/tests/net2net-pgp/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/net2net-pgp/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-pgp/test.conf b/testing/tests/net2net-pgp/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/net2net-pgp/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-psk-fail/description.txt b/testing/tests/net2net-psk-fail/description.txt new file mode 100644 index 000000000..5a794bd17 --- /dev/null +++ b/testing/tests/net2net-psk-fail/description.txt @@ -0,0 +1,7 @@ +An IPsec tunnel connecting the subnets behind the gateways <b>moon</b> and +<b>sun</b> is set up. The authentication is based on <b>Preshared Keys</b> +(PSK). Unfortunately the secret keys of <b>moon</b> and <b>sun</b> do not +match, so that the responder cannot decrypt ISAKMP message MI3. The resulting +encrypted notification message cannot in turn be read by the initiator +<b>moon</b>. In order to avoid a <b>notify-war</b>, any further generation of +PAYLOAD_MALFORMED messages is suppressed. diff --git a/testing/tests/net2net-psk-fail/evaltest.dat b/testing/tests/net2net-psk-fail/evaltest.dat new file mode 100644 index 000000000..7f7cb9726 --- /dev/null +++ b/testing/tests/net2net-psk-fail/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::malformed payload in packet::YES +sun::cat /var/log/auth.log::probable authentication failure.*mismatch of preshared secrets.*malformed payload in packet::YES +sun::cat /var/log/auth.log::sending encrypted notification PAYLOAD_MALFORMED::YES +moon::ipsec status::net-net.*STATE_MAIN_I4.*ISAKMP SA established::NO +sun::ipsec status::net-net.*STATE_MAIN_R3.*ISAKMP SA established::NO + diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..87396e455 --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..7e102b25c --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..b53577e1d --- /dev/null +++ b/testing/tests/net2net-psk-fail/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sZNbttZkdViYmLWprfhiZBtDjJbNAMHil + + + + diff --git a/testing/tests/net2net-psk-fail/posttest.dat b/testing/tests/net2net-psk-fail/posttest.dat new file mode 100644 index 000000000..dff181797 --- /dev/null +++ b/testing/tests/net2net-psk-fail/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +sun::ipsec stop diff --git a/testing/tests/net2net-psk-fail/pretest.dat b/testing/tests/net2net-psk-fail/pretest.dat new file mode 100644 index 000000000..aa8e332e0 --- /dev/null +++ b/testing/tests/net2net-psk-fail/pretest.dat @@ -0,0 +1,6 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +sun::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-psk-fail/test.conf b/testing/tests/net2net-psk-fail/test.conf new file mode 100644 index 000000000..f6e064e7d --- /dev/null +++ b/testing/tests/net2net-psk-fail/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-psk/description.txt b/testing/tests/net2net-psk/description.txt new file mode 100644 index 000000000..02cddbb83 --- /dev/null +++ b/testing/tests/net2net-psk/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>Preshared Keys</b> (PSK). Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-psk/evaltest.dat b/testing/tests/net2net-psk/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-psk/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..51c53a505 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..9c3695178 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..be95c4d99 --- /dev/null +++ b/testing/tests/net2net-psk/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org @sun.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/net2net-psk/posttest.dat b/testing/tests/net2net-psk/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-psk/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-psk/pretest.dat b/testing/tests/net2net-psk/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/net2net-psk/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-psk/test.conf b/testing/tests/net2net-psk/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/net2net-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-route/description.txt b/testing/tests/net2net-route/description.txt new file mode 100644 index 000000000..323f09555 --- /dev/null +++ b/testing/tests/net2net-route/description.txt @@ -0,0 +1,9 @@ +A tunnel that will connect the subnets behind the gateways <b>moon</b> +and <b>sun</b>, respectively, is preconfigured by installing a %trap eroute +on gateway <b>moon</b> by means of the setting <b>auto=route</b> in ipsec.conf. +A subsequent ping issued by client <b>alice</b> behind gateway <b>moon</b> to +<b>bob</b> located behind gateway <b>sun</b> triggers the %trap eroute and +leads to the automatic establishment of the subnet-to-subnet tunnel. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/net2net-route/evaltest.dat b/testing/tests/net2net-route/evaltest.dat new file mode 100644 index 000000000..38d589e5a --- /dev/null +++ b/testing/tests/net2net-route/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::initiate on demand from PH_IP_ALICE::YES +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..4063ae05f --- /dev/null +++ b/testing/tests/net2net-route/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=route diff --git a/testing/tests/net2net-route/posttest.dat b/testing/tests/net2net-route/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-route/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-route/pretest.dat b/testing/tests/net2net-route/pretest.dat new file mode 100644 index 000000000..2eef7de19 --- /dev/null +++ b/testing/tests/net2net-route/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 2 +alice::ping -c 10 PH_IP_BOB diff --git a/testing/tests/net2net-route/test.conf b/testing/tests/net2net-route/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/net2net-route/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-rsa/description.txt b/testing/tests/net2net-rsa/description.txt new file mode 100644 index 000000000..a23fae8c3 --- /dev/null +++ b/testing/tests/net2net-rsa/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>raw RSA keys</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/net2net-rsa/evaltest.dat b/testing/tests/net2net-rsa/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-rsa/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..772762321 --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + rightrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + auto=add diff --git a/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..9859ae8ed --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,17 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA { + # RSA 2048 bits moon.strongswan.org Wed Dec 8 21:41:27 2004 + # for signatures only, UNSAFE FOR ENCRYPTION + #pubkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + Modulus: 0x7e9a4784085e419bb5e70e49247e6827cbf4d99dd4e43755f3159581ee726ba0cddc4e4df332d7523d7f2163d190c551964ac99406aee6180e50c77f49a51369cb3c56ef045c31bc2a0eab86d4f45f6e52f35758b175738648b50d697a27a8323f8797c292a4ee66d2db138ab73dfe0f990030cd6556693650d605d7a94a8a94deb6d7c1e6daf6ef35113f0811ee14c99a0b3d758dc92f68fbdca812d9cd14f1f5bfcc8bea83eb14fb93d4696079ad686089f7979dd5b63a49991aa601d6bbcf3fdcce9bc42cc3d0a380de815bc25907905c9a196141dbe7dcecbe817d8ab4c2bfddf38b5074ec449f70702d3ad52a8efee80c43acc8b423e6e50f69ddf5cc63 + PublicExponent: 0x03 + # everything after this point is secret + PrivateExponent: 0x1519b69601650aef48fbd7b6db6a66b14ca8ceefa37b5e8e532e4395a7bdbc9accfa0d0cfdddce8db4ea8590a2ed763843b72198abc7d1040262cbea8c462de6f734b927d60f5d9f5c57c741237e0fe7b87de3e41d9393410c1e2ce6e9b146b30a96994b1870d2667879d8971e8a5502998008223b8e66de62ce564e9c37171893a0e8a94749590fef394b9deda1e73937b1c664d2e4764ae49572771130a097024380c258fa25f9083eefc5eabe762d8e856237bdd8ad8217f899688f70ac1f37650dc08bf3748b74a4f30873842fe27bdfbc49d0cb14c3861ff18b1219153ddb69e5bcb09ff691473a856e63e23d2f36389959f804e82b13a547decc7d6df7 + Prime1: 0xc11b8705063c662ee0a168b904bbd9c514025360c75e43e7c60c3c17846ede31bba328dfaf8abf513175f312a4263645db0f0797ca7f36d04f996680772264a63c1f76a2a2fe250aa0ca8e96122438bdd5b327e925742047f2b7d0fe3fa6ea07a10cd9a40f8994a95af505116131584c5fc247a7d69df08bfac1b5a23b7c157f + Prime2: 0xa7d5dcc534e67a60b918109b7b66cfad37de43b7d51025bfda4fbd30ee3a73362c879f1e251c47ed98a442b33bdcb2112e5aa2b160426e5d6a2c1bb22e104e6db75f0575d979e38146d89db8948500fad36b0875570b3f0ac5754440d14d4b47fa55b77b1d2b9033991c4a858256632759d22c80060d52957643aa8ed789231d + Exponent1: 0x80bd04ae0428441f406b9b260327e68362ac3795da3ed7efd95d7d6502f4942127c21b3fca5c7f8b764ea20c6d6eced93cb4afba86ff79e03510ef004f6c43197d6a4f17175418b1c08709b9616d7b2939221a9b6e4d6adaa1cfe0a97fc49c05160891180a5bb870e74e0360eb763add952c2fc539bea05d51d67916d252b8ff + Exponent2: 0x6fe3e8837899a6eb26100b1252448a737a942d2538b56e7fe6dfd375f426f779730514bec3682ff3bb182c777d3dcc0b743c6c76402c49939c1d67cc1eb5899e7a3f58f93ba697ab84906925b858ab51e2475af8e4b22a072e4e2d808b88dcdaa6e3cfa768c7b577bb6831ae56e4421a3be173000408e1b8f98271b48fb0c213 + Coefficient: 0x0a9ea0e995d8d635ac37b5d5f1121ecd4d6387262ea65ea969499ec4c7af9d7a79b256654bda5c972b6efaf5aba35d6790ce4db39258930488ddb2443d19c344312380bed3290f29f0ff5b0ce382622c849f3279f653a2b7c4cc8efbfc5098852fe39aee9da947e53ddfe58bb6b7bb02b693a1b1228dc0481b681d51865d0339 + } +# do not change the indenting of that "}" diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..9626ef168 --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftid=@sun.strongswan.org + leftrsasigkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + rightrsasigkey=0sAQN+mkeECF5Bm7XnDkkkfmgny/TZndTkN1XzFZWB7nJroM3cTk3zMtdSPX8hY9GQxVGWSsmUBq7mGA5Qx39JpRNpyzxW7wRcMbwqDquG1PRfblLzV1ixdXOGSLUNaXonqDI/h5fCkqTuZtLbE4q3Pf4PmQAwzWVWaTZQ1gXXqUqKlN6218Hm2vbvNRE/CBHuFMmaCz11jckvaPvcqBLZzRTx9b/Mi+qD6xT7k9RpYHmtaGCJ95ed1bY6SZkapgHWu88/3M6bxCzD0KOA3oFbwlkHkFyaGWFB2+fc7L6BfYq0wr/d84tQdOxEn3BwLTrVKo7+6AxDrMi0I+blD2nd9cxj + auto=add diff --git a/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..bf976a8d3 --- /dev/null +++ b/testing/tests/net2net-rsa/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,17 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA { + # RSA 2048 bits sun.strongswan.org Wed Dec 8 21:44:27 2004 + # for signatures only, UNSAFE FOR ENCRYPTION + #pubkey=0sAQOiSuR9e/WMZFOxK3IdaFBOT2DGoObFDJURejqLcjMpmY2yVbA9Lpc+AEGKxqjb37WG6sVo3fBCDBOAhgmMw9s0b6DTSeXaIQloqW1M8IC+xe1fT+F0BsW1ttaEN0WTF5H+J+a4/arYg4HyiA+sjoqHagnCVPM15Rm5mkmg913XmSCgtkenD4WUq+NfPLuOcggqTjHAAoGD0doswRa3sebyqHQNAb32PXW9ecKi9ExcPrdr5hR5uNXRMYGumBtoxcE6xEvCM/sPRK1hbyynixc5nfMQ5Ymb4mdCUotUGaCyKDa4pF58sYgP6xpd/HXMXGdRP+KxqA4sfes46gp8UuJT + Modulus: 0xa24ae47d7bf58c6453b12b721d68504e4f60c6a0e6c50c95117a3a8b723329998db255b03d2e973e00418ac6a8dbdfb586eac568ddf0420c138086098cc3db346fa0d349e5da210968a96d4cf080bec5ed5f4fe17406c5b5b6d6843745931791fe27e6b8fdaad88381f2880fac8e8a876a09c254f335e519b99a49a0f75dd79920a0b647a70f8594abe35f3cbb8e72082a4e31c0028183d1da2cc116b7b1e6f2a8740d01bdf63d75bd79c2a2f44c5c3eb76be61479b8d5d13181ae981b68c5c13ac44bc233fb0f44ad616f2ca78b17399df310e5899be26742528b5419a0b22836b8a45e7cb1880feb1a5dfc75cc5c67513fe2b1a80e2c7deb38ea0a7c52e253 + PublicExponent: 0x03 + # everything after this point is secret + PrivateExponent: 0x04eaff2a9726789e3114e24946b595d3d3dc250ca22500619bae5edd701110c697b0121c9d01696e7c21043490c0d83bcdc90dbd5c0f09c24e2aaeba78a1162860793cb4a9dfd274a614a638a27081e6f7ad8e0e96e8eeb7ee448fa49580941bb25e4ccf4d814c611373f49ba061690bdc6ce6dbc94f357ce69811bf0f40e780b643cbe7e076031f234e842b41bc10fb2d359617c64b434cb3dd4d9add91dcbcaef9fba1fb6f217a8ad65bde553bd2792c939ea8b5c0591598e7291597609a779a088e36c1ebe15ebb5e9a7774d9d9cd90913030b88e215f9e66fe0daafb198a3bb9d4e6277b625460ede2d84ce7f3334bf641829c826dbc1549625377c517db + Prime1: 0xfee3308b1f16875eeb4ca7ba6a9b8f9279eceff06531aae2bb50d2ccbf7f2b0901f2c5e046856c54c338f4b79943f8ad6d20a97fe0a48786cd659aff3f55e3a8c4c09cad526975180d1c2905ba028b58dd05a71d3a268153fae62eb5e9fe9184b20f9fbd626b14054c4acd7e2de69934d91cbf239c7a63c9d2721cd466df26eb + Prime2: 0xa3003cd898c297323377adeed7b4b214dc78e8bf0d9c2c0bef54ed53686547971847d7400e1d8055149ef6425e5241f28b43c8d52b48d281ae4fc7d0589ef8ad9ae95a05e2298cf679135cc0dd7378611e363380852313bfdc259cdb2543d5d1d1b492f6035ec72a2025529c5dff6995ad64b1b7dec3a3755a512073a50ba839 + Exponent1: 0xa9eccb076a0f04e9f2331a7c47125fb6fbf34aa0437671ec7ce08c887faa1cb0abf72e958458f2e32cd0a32510d7fb1e48c070ffeb185a59de43bcaa2a394270832b131e36f0f8bab3681b5926ac5ce5e8ae6f68d16f00e2a7441f23f1546103215fbfd396f20d58dd8733a973ef10cde6132a17bda6ed3136f6bde2ef3f6f47 + Exponent2: 0x6caad33b1081ba2177a51e9f3a7876b892fb45d4b3bd72b29f8df38cf043850f65853a2ab413aae36314a42c3ee1814c5cd7db38c785e1abc98a85359069fb1e67463c03ec1bb34efb623dd5e8f7a59614242255ae17627fe819133cc3828e8be1230ca4023f2f716ac38c683eaa4663c8edcbcfe9d7c24e3c3615a26e07c57b + Coefficient: 0xbf865c3ed94693c7f16e04fd73929d7b4a3a296d6113eb9b01e87d5cf3be71afa2f838a5a82a97b55e8309025214312edefd3b77c989054bf28ec81bf3989d698671cb64eac9f016cc136f6ab78ce4d5d3837198eea5ec8ed057ba8e0e6f240a60202171f65be992d7bcd54ee0f803e5bd6b8385223b55440e095b28f01bbd0a + } +# do not change the indenting of that "}" diff --git a/testing/tests/net2net-rsa/posttest.dat b/testing/tests/net2net-rsa/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-rsa/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-rsa/pretest.dat b/testing/tests/net2net-rsa/pretest.dat new file mode 100644 index 000000000..9e40684ab --- /dev/null +++ b/testing/tests/net2net-rsa/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/net2net-rsa/test.conf b/testing/tests/net2net-rsa/test.conf new file mode 100644 index 000000000..f74d0f7d6 --- /dev/null +++ b/testing/tests/net2net-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/net2net-start/description.txt b/testing/tests/net2net-start/description.txt new file mode 100644 index 000000000..f5320685e --- /dev/null +++ b/testing/tests/net2net-start/description.txt @@ -0,0 +1,8 @@ +A tunnel connecting the subnets behind the gateways <b>moon</b> and <b>sun</b>, +respectively, is automatically established by means of the setting +<b>auto=start</b> in ipsec.conf. The connection is tested by client <b>alice</b> +behind gateway <b>moon</b> pinging the client <b>bob</b> located behind +gateway <b>sun</b>. +<p> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules +that let pass the tunneled traffic. diff --git a/testing/tests/net2net-start/evaltest.dat b/testing/tests/net2net-start/evaltest.dat new file mode 100644 index 000000000..7cbf92687 --- /dev/null +++ b/testing/tests/net2net-start/evaltest.dat @@ -0,0 +1,5 @@ +moon::ipsec status::net-net.*STATE_QUICK_I2.*IPsec SA established::YES +sun::ipsec status::net-net.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf b/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..677955bc1 --- /dev/null +++ b/testing/tests/net2net-start/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + leftnexthop=%direct + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=start diff --git a/testing/tests/net2net-start/posttest.dat b/testing/tests/net2net-start/posttest.dat new file mode 100644 index 000000000..52979508d --- /dev/null +++ b/testing/tests/net2net-start/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +sun::iptables -v -n -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/net2net-start/pretest.dat b/testing/tests/net2net-start/pretest.dat new file mode 100644 index 000000000..ed8f39316 --- /dev/null +++ b/testing/tests/net2net-start/pretest.dat @@ -0,0 +1,5 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +alice::sleep 12 diff --git a/testing/tests/net2net-start/test.conf b/testing/tests/net2net-start/test.conf new file mode 100644 index 000000000..d9a61590f --- /dev/null +++ b/testing/tests/net2net-start/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/no-priv-key/description.txt b/testing/tests/no-priv-key/description.txt new file mode 100644 index 000000000..21b8eccb1 --- /dev/null +++ b/testing/tests/no-priv-key/description.txt @@ -0,0 +1,4 @@ +This scenario tests whether the correct encrypted informational messages are +generated by the initiator <b>carol</b> and subsequently decoded by the +responder <b>moon</b> when roadwarrior <b>carol</b> finds out that she +doesn't have a private RSA key to sign her hash with. diff --git a/testing/tests/no-priv-key/evaltest.dat b/testing/tests/no-priv-key/evaltest.dat new file mode 100644 index 000000000..9bd85ba12 --- /dev/null +++ b/testing/tests/no-priv-key/evaltest.dat @@ -0,0 +1,4 @@ +carol::cat /var/log/auth.log::unable to locate my private key for RSA Signature::YES +moon::cat /var/log/auth.log::ignoring informational payload, type AUTHENTICATION_FAILED::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets b/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23b311aa6 --- /dev/null +++ b/testing/tests/no-priv-key/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# missing private RSA key diff --git a/testing/tests/no-priv-key/posttest.dat b/testing/tests/no-priv-key/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/no-priv-key/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/no-priv-key/pretest.dat b/testing/tests/no-priv-key/pretest.dat new file mode 100644 index 000000000..d92333d86 --- /dev/null +++ b/testing/tests/no-priv-key/pretest.dat @@ -0,0 +1,4 @@ +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/no-priv-key/test.conf b/testing/tests/no-priv-key/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/no-priv-key/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ocsp-revoked/description.txt b/testing/tests/ocsp-revoked/description.txt new file mode 100644 index 000000000..cbdd1305a --- /dev/null +++ b/testing/tests/ocsp-revoked/description.txt @@ -0,0 +1,7 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current revocation information is available, the Main Mode +negotiation fails but an OCSP request issued to the OCSP server <b>winnetou</b>. +When the second Main Mode trial comes around the OCSP response will be available +but because the certificate presented by carol has been revoked, +the IKE negotatiation will fail.. diff --git a/testing/tests/ocsp-revoked/evaltest.dat b/testing/tests/ocsp-revoked/evaltest.dat new file mode 100644 index 000000000..f5286cb61 --- /dev/null +++ b/testing/tests/ocsp-revoked/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::certificate was revoked::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec listocsp:: revoked::YES +moon::ipsec status::rw.*STATE_MAIN_R3.*ISAKMP SA established::NO +carol::ipsec status::home.*STATE_MAIN_I4.*ISAKMP SA established::NO diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..7d4384767 --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolRevokedCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem new file mode 100644 index 000000000..5b742fc9e --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/certs/carolRevokedCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIjCCAwqgAwIBAgIBBzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA0MDkxMDExMjU0OFoXDTA5MDkwOTExMjU0OFowWjELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN +AQEBBQADggEPADCCAQoCggEBAM5413q1B2EF3spcYD1u0ce9AtIHdxmU3+1E0hqV +mLqpIQtyp4SLbrRunxpoVUuEpHWXgLb3C/ljjlKCMWWmhw4wja1rBTjMNJLPj6Bo +5Qn4Oeuqm7/kLHPGbveQGtcSsJCk6iLqFTbq0wsji5Ogq7kmjWgQv0nM2jpofHLv +VOAtWVSj+x2b3OHdl/WpgTgTw1HHjYo7/NOkARdTcZ2/wxxM3z1Abp9iylc45GLN +IL/OzHkT8b5pdokdMvVijz8IslkkewJYXrVQaCNMZg/ydlXOOAEKz0YqnvXQaYs5 +K+s8XvQ2RFCr5oO0fRT2VbiI9TgHnbcnfUi25iHl6txsXg0CAwEAAaOCAQYwggEC +MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMB0GA1UdDgQWBBTbA2TH3ca8tgCGkYy9 +OV/MqUTHAzBtBgNVHSMEZjBkgBRdp91wBlEyfue2bbO15eBg6i5N76FJpEcwRTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMT +EnN0cm9uZ1N3YW4gUm9vdCBDQYIBADAfBgNVHREEGDAWgRRjYXJvbEBzdHJvbmdz +d2FuLm9yZzA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4u +b3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBBAUAA4IBAQC9acuCUPEBOrWB +56vS8N9bksQwv/XcYIFYqV73kFBAzOPLX2a9igFGvBPdCxFu/t8JCswzE6to4LFM +2+6Z2QJf442CLPcJKxITahrjJXSxGbzMlmaDvZ5wFCJAlyin+yuInpTwl8rMZe/Q +O5JeJjzGDgWJtnGdkLUk/l2r6sZ/Cmk5rZpuO0hcUHVztMLQYPzqTpuMvC5p4JzL +LWGWhKRhJs53NmxXXodck/ZgaqiTWuQFYlbamJRvzVBfX7c1SWHRJvxSSOPKGIg3 +wphkO2naj/SQD+BNuWTRmZ9YCiLOQ64ybLpJzRZISETdqtLBPKsIqosUZwkxlR1N +9IcgYi5x +-----END CERTIFICATE----- diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem new file mode 100644 index 000000000..8aefcc5a6 --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.d/private/carolRevokedKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAznjXerUHYQXeylxgPW7Rx70C0gd3GZTf7UTSGpWYuqkhC3Kn +hItutG6fGmhVS4SkdZeAtvcL+WOOUoIxZaaHDjCNrWsFOMw0ks+PoGjlCfg566qb +v+Qsc8Zu95Aa1xKwkKTqIuoVNurTCyOLk6CruSaNaBC/SczaOmh8cu9U4C1ZVKP7 +HZvc4d2X9amBOBPDUceNijv806QBF1Nxnb/DHEzfPUBun2LKVzjkYs0gv87MeRPx +vml2iR0y9WKPPwiyWSR7AlhetVBoI0xmD/J2Vc44AQrPRiqe9dBpizkr6zxe9DZE +UKvmg7R9FPZVuIj1OAedtyd9SLbmIeXq3GxeDQIDAQABAoIBAAUdyXko8z3cP2EU +WO4syNYCQQejV7gykDn48pvmCRrXBhKajLwkGGIwO5ET9MkiSFEBqBbgmFNdvDEf +OMokDkSzv08Ez+RQax0YN57p+oL8u7KzT5i5tsBHsog/8epSdD2hWIv08QGjYAdu +og7OdHLqGabyg0r44I+B91OBysCjU51rDdkhz59AmURdEIJV5xhuGojFM68jaNm2 +MUxDfDuCsRIydjAP0VTUTAUxD4/S5I+jt/GK9aRsEeRH9Q3011iTGMR9viAUBhq/ +khkWNltg9lkOqO7LpnNku4sSv3v4CWge7/T+4RR2vZgv1oSs4ox2UKYoqIqiYIfx +uUcnqQECgYEA+LPiRMoXvlssQWlaFc2k4xga0efs+mWeLglDdc3R3fBEibP/AU07 +a576AgvUJtkI50/WNGKT73O+VtxcXn/N646m/8OtqNXuVKKjsxxNOZEKdO8aOdbt +7lM5WepNiQeaKAFudUxpUiZQx8LCKSsNDiJZKWBu6xAG2O5X32VMZvUCgYEA1Ie+ +rNa490PSC1ym7WbmdAjvGmSOn2GOBfO7BECsPZstccU7D5pZl/89fTfn1TDKP49Y +ScVOuFz7f/u6UJpb/WzI71RXEQOdojLWmF2HDx5osRi3hXEJa20fbPq6DQXCJ8pf +IF37AEqAY4UNSNic0Cw+rGHdWPQhDNXhFWpdu7kCgYEAmv4oNmyoDXbuhrlsbggi +CXE9TbG3a3mm8dPOGf2yHBmf7R2i/6GtNW33Kw1KIwfBV77WpQEGZwWACsv8ONx3 +baUSiHTfpkfk5xQQ5w/tRMISfTuB4agD0jJFnLa7qXl2ZhY2S53aSVsdntDOhi+R +TEy1umah2Za8Xbd0RgHwcn0CgYEAl9Hgg9dfikMIaNVm6W/4cCtxoojy2Sf3LIlP +r1oDsH6JmBwsdJjuJ4ZNhoXJNqID2COuDgTEly7U+jf4gFvEGuT7JPw6tgy/Ln7i +jTVCpaozX08oykpVUEhDirYQ8fyLFaGbEqQQCcUusej59G/IlW0F2F6QoFrEwUaH +46R4EQECgYBEZ7edMkj3dmJH1wxQjp5GJNbrJkS8IKvzza0mDTJdz33CgEX9Oyva +o2iEkDVpvj2SEy28ewt22IRptWKH/3bQfxSCcRV6JFNt3+LongMshRYqq1leqrKa +9fnQVtfTIbIVXwjTZap6BL8R66OeFtexsSFRfDF/8P4n2oF4zmn4qA== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..8e31be4cb --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolRevokedKey.pem diff --git a/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf b/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7134b6ee9 --- /dev/null +++ b/testing/tests/ocsp-revoked/hosts/moon/etc/ipsec.conf @@ -0,0 +1,40 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ocsp-revoked/posttest.dat b/testing/tests/ocsp-revoked/posttest.dat new file mode 100644 index 000000000..d883459e7 --- /dev/null +++ b/testing/tests/ocsp-revoked/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +carol::ipsec stop +winnetou::killall openssl +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/ocsp-revoked/pretest.dat b/testing/tests/ocsp-revoked/pretest.dat new file mode 100644 index 000000000..d5516fd3b --- /dev/null +++ b/testing/tests/ocsp-revoked/pretest.dat @@ -0,0 +1,5 @@ +winnetou::/etc/openssl/start-ocsp +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ocsp-revoked/test.conf b/testing/tests/ocsp-revoked/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ocsp-revoked/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ocsp-strict/description.txt b/testing/tests/ocsp-strict/description.txt new file mode 100644 index 000000000..7cb983140 --- /dev/null +++ b/testing/tests/ocsp-strict/description.txt @@ -0,0 +1,6 @@ +By setting <b>strictcrlpolicy=yes</b> a <b>strict CRL policy</b> is enforced on +both roadwarrior <b>carol</b> and gateway <b>moon</b>. Thus when <b>carol</b> initiates +the connection and no current revocation information is available, the Main Mode +negotiation fails but an OCSP request is issued to the OCSP server <b>winnetou</b>. +When the second Main Mode trial comes around, the OCSP response will be available +and the IKE negotiation completes. diff --git a/testing/tests/ocsp-strict/evaltest.dat b/testing/tests/ocsp-strict/evaltest.dat new file mode 100644 index 000000000..66b27aaac --- /dev/null +++ b/testing/tests/ocsp-strict/evaltest.dat @@ -0,0 +1,8 @@ +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec listocsp:: good::YES +carol::ipsec listocsp:: good::YES diff --git a/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf b/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..b34719401 --- /dev/null +++ b/testing/tests/ocsp-strict/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + +conn home + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf b/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7134b6ee9 --- /dev/null +++ b/testing/tests/ocsp-strict/hosts/moon/etc/ipsec.conf @@ -0,0 +1,40 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + +ca strongswan + cacert=strongswanCert.pem + ocspuri=http://ocsp.strongswan.org:8880 + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/ocsp-strict/posttest.dat b/testing/tests/ocsp-strict/posttest.dat new file mode 100644 index 000000000..117f625f6 --- /dev/null +++ b/testing/tests/ocsp-strict/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +winnetou::killall openssl diff --git a/testing/tests/ocsp-strict/pretest.dat b/testing/tests/ocsp-strict/pretest.dat new file mode 100644 index 000000000..d5516fd3b --- /dev/null +++ b/testing/tests/ocsp-strict/pretest.dat @@ -0,0 +1,5 @@ +winnetou::/etc/openssl/start-ocsp +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/ocsp-strict/test.conf b/testing/tests/ocsp-strict/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/ocsp-strict/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/protoport-dual/description.txt b/testing/tests/protoport-dual/description.txt new file mode 100644 index 000000000..7bed8b959 --- /dev/null +++ b/testing/tests/protoport-dual/description.txt @@ -0,0 +1,6 @@ +Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels +between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are +defined. The first IPsec SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. The established tunnels are tested +by <b>carol</b> by first pinging <b>alice</b> behind <b>moon</b> and +then setting up an SSH session to the same client. diff --git a/testing/tests/protoport-dual/evaltest.dat b/testing/tests/protoport-dual/evaltest.dat new file mode 100644 index 000000000..625c8c54c --- /dev/null +++ b/testing/tests/protoport-dual/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9e05ecf61 --- /dev/null +++ b/testing/tests/protoport-dual/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + +conn home-icmp + leftprotoport=icmp + rightprotoport=icmp + +conn home-ssh + leftprotoport=tcp + rightprotoport=tcp/ssh diff --git a/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..84b9b0ba3 --- /dev/null +++ b/testing/tests/protoport-dual/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + auto=add + +conn rw-icmp + lefthostaccess=yes + leftprotoport=icmp + rightprotoport=icmp + +conn rw-ssh + leftprotoport=tcp/ssh + rightprotoport=tcp diff --git a/testing/tests/protoport-dual/posttest.dat b/testing/tests/protoport-dual/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/protoport-dual/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/protoport-dual/pretest.dat b/testing/tests/protoport-dual/pretest.dat new file mode 100644 index 000000000..d3d0061c3 --- /dev/null +++ b/testing/tests/protoport-dual/pretest.dat @@ -0,0 +1,7 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home-icmp +carol::ipsec up home-ssh diff --git a/testing/tests/protoport-dual/test.conf b/testing/tests/protoport-dual/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/protoport-dual/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/protoport-pass/description.txt b/testing/tests/protoport-pass/description.txt new file mode 100644 index 000000000..63744fa47 --- /dev/null +++ b/testing/tests/protoport-pass/description.txt @@ -0,0 +1,13 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +Using the <b>left|rightprotoport</b> selectors, the IPsec tunnel is +restricted to the ICMP protocol. Upon the successful establishment of the +IPsec tunnel, <b>firewall=yes</b> automatically inserts iptables-based +firewall rules that let pass the tunneled ICMP traffic. In order to test +both tunnel and firewall, <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b> as well as the inner interface of the gateway. +For the latter ping <b>lefthostaccess=yes</b> is required. +<p> +By default, the native IPsec stack of the Linux 2.6 kernel transmits +protocols and ports not covered by any IPsec SA in the clear. Thus by +selectively opening the firewalls, <b>carol</b> sets up an SSH session to +<b>alice</b> that is not going through the tunnel. diff --git a/testing/tests/protoport-pass/evaltest.dat b/testing/tests/protoport-pass/evaltest.dat new file mode 100644 index 000000000..625c8c54c --- /dev/null +++ b/testing/tests/protoport-pass/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..ade7308f6 --- /dev/null +++ b/testing/tests/protoport-pass/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home-icmp + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftcert=carolCert.pem + leftprotoport=icmp + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightprotoport=icmp + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fd67e2b4b --- /dev/null +++ b/testing/tests/protoport-pass/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw-icmp + left=PH_IP_MOON + leftnexthop=%direct + leftsubnet=10.1.0.0/16 + leftprotoport=icmp + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftfirewall=yes + lefthostaccess=yes + right=%any + rightprotoport=icmp + auto=add diff --git a/testing/tests/protoport-pass/posttest.dat b/testing/tests/protoport-pass/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/protoport-pass/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/protoport-pass/pretest.dat b/testing/tests/protoport-pass/pretest.dat new file mode 100644 index 000000000..13b4ad4a0 --- /dev/null +++ b/testing/tests/protoport-pass/pretest.dat @@ -0,0 +1,10 @@ +moon::/etc/init.d/iptables start 2> /dev/null +moon::iptables -I FORWARD -i eth0 -p tcp -d 10.1.0.0/16 --dport ssh -jACCEPT +moon::iptables -I FORWARD -o eth0 -p tcp -s 10.1.0.0/16 --sport ssh -jACCEPT +carol::/etc/init.d/iptables start 2> /dev/null +carol::iptables -I INPUT -i eth0 -p tcp -s 10.1.0.0/16 --sport ssh -d PH_IP_CAROL -jACCEPT +carol::iptables -I OUTPUT -o eth0 -p tcp -d 10.1.0.0/16 --dport ssh -s PH_IP_CAROL -jACCEPT +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home-icmp diff --git a/testing/tests/protoport-pass/test.conf b/testing/tests/protoport-pass/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/protoport-pass/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/protoport-route/description.txt b/testing/tests/protoport-route/description.txt new file mode 100644 index 000000000..ec7ec69b0 --- /dev/null +++ b/testing/tests/protoport-route/description.txt @@ -0,0 +1,8 @@ +Using the <b>left|rightprotoport</b> selectors, two IPsec tunnels +between the roadwarrior <b>carol</b> and the gateway <b>moon</b> are +defined. The first IPsec SA is restricted to ICMP packets and the second +covers TCP-based SSH connections. Using <b>add=route</b> %trap +eroutes for these IPsec SAs are prepared on <b>carol</b>. By sending +a ping to the client <b>alice</b> behind <b>moon</b>, the ICMP eroute +is triggered and the corresponding IPsec tunnel is set up. In the same +way an ssh session to <b>alice</b> over the second IPsec SA is established. diff --git a/testing/tests/protoport-route/evaltest.dat b/testing/tests/protoport-route/evaltest.dat new file mode 100644 index 000000000..8f3eb208f --- /dev/null +++ b/testing/tests/protoport-route/evaltest.dat @@ -0,0 +1,8 @@ +carol::ping -c 2 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq::YES +carol::ping -c 2 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq::YES +carol::ssh PH_IP_ALICE hostname::alice::YES +carol::cat /var/log/auth.log::initiate on demand::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf b/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..31c25c12f --- /dev/null +++ b/testing/tests/protoport-route/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=route + +conn home-icmp + leftprotoport=icmp + rightprotoport=icmp + +conn home-ssh + leftprotoport=tcp + rightprotoport=tcp/ssh diff --git a/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf b/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..84b9b0ba3 --- /dev/null +++ b/testing/tests/protoport-route/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + auto=add + +conn rw-icmp + lefthostaccess=yes + leftprotoport=icmp + rightprotoport=icmp + +conn rw-ssh + leftprotoport=tcp/ssh + rightprotoport=tcp diff --git a/testing/tests/protoport-route/posttest.dat b/testing/tests/protoport-route/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/protoport-route/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/protoport-route/pretest.dat b/testing/tests/protoport-route/pretest.dat new file mode 100644 index 000000000..f233ad48f --- /dev/null +++ b/testing/tests/protoport-route/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ssh PH_IP_ALICE hostname diff --git a/testing/tests/protoport-route/test.conf b/testing/tests/protoport-route/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/protoport-route/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/req-pkcs10/description.txt b/testing/tests/req-pkcs10/description.txt new file mode 100644 index 000000000..a958cb8e8 --- /dev/null +++ b/testing/tests/req-pkcs10/description.txt @@ -0,0 +1,11 @@ +Both the roadwarrior <b>carol</b> and the gateway <b>moon</b> generate a +PKCS#1 RSA private key and a PKCS#10 certificate request using the +<b>ipsec scepclient</b> function. Because the UML testing environment +does not offer enough entropy, the non-blocking /dev/urandom device is +used in place of /dev/random for generating the random primes. +<p> +The certificate requests are copied to <b>winnetou</b> where a certification +authority based on OpenSSL issues X.509 certificates by verifying and +signing the PCKS#10 requests. The certificates are then copied back to +the corresponding hosts and used to set up a road warrior connection +initiated by <b>carol</b> diff --git a/testing/tests/req-pkcs10/evaltest.dat b/testing/tests/req-pkcs10/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/req-pkcs10/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..58e2f1e5b --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.conf @@ -0,0 +1,29 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=myCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..167d743df --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA myKey.der diff --git a/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf b/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf new file mode 100644 index 000000000..6afd3fa11 --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/carol/etc/scepclient.conf @@ -0,0 +1,3 @@ +--debug-control +--out pkcs1 +--out pkcs10 diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets b/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b9ec17dbc --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.der diff --git a/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf b/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf new file mode 100644 index 000000000..da8177348 --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/moon/etc/scepclient.conf @@ -0,0 +1,4 @@ +--debug-control +--keylength 2064 +--out pkcs1=moonKey.der +--out pkcs10=moonReq.der diff --git a/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt b/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt new file mode 100644 index 000000000..9b48ee4cf --- /dev/null +++ b/testing/tests/req-pkcs10/hosts/winnetou/etc/openssl/yy.txt @@ -0,0 +1,2 @@ +y +y diff --git a/testing/tests/req-pkcs10/posttest.dat b/testing/tests/req-pkcs10/posttest.dat new file mode 100644 index 000000000..534e3af20 --- /dev/null +++ b/testing/tests/req-pkcs10/posttest.dat @@ -0,0 +1,13 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/reqs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/reqs/* +winnetou::rm /etc/openssl/carol* +winnetou::rm /etc/openssl/moon* diff --git a/testing/tests/req-pkcs10/pretest.dat b/testing/tests/req-pkcs10/pretest.dat new file mode 100644 index 000000000..18b8b16e6 --- /dev/null +++ b/testing/tests/req-pkcs10/pretest.dat @@ -0,0 +1,22 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::cat /etc/scepclient.conf +carol::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=carol@strongswan.org\" --optionsfrom /etc/scepclient.conf +winnetou::scp carol:/etc/ipsec.d/reqs/myReq.der /etc/openssl/carolReq.der +winnetou::openssl req -inform der -in /etc/openssl/carolReq.der -out /etc/openssl/carolReq.pem +winnetou::cd /etc/openssl; COMMON_NAME="carol@strongswan.org" openssl ca -in carolReq.pem -out carolCert.pem -notext -config openssl.cnf -extensions user_ext < yy.txt +winnetou::scp /etc/openssl/carolCert.pem carol:/etc/ipsec.d/certs/myCert.pem +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::cat /etc/scepclient.conf +moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, SN=01, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf +winnetou::scp moon:/etc/ipsec.d/reqs/moonReq.der /etc/openssl/ +winnetou::openssl req -inform der -in /etc/openssl/moonReq.der -out /etc/openssl/moonReq.pem +winnetou::cd /etc/openssl; COMMON_NAME="moon.strongswan.org" openssl ca -in moonReq.pem -out moonCert.pem -notext -config openssl.cnf -extensions host_ext < yy.txt +winnetou::scp /etc/openssl/moonCert.pem moon:/etc/ipsec.d/certs/ +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/req-pkcs10/test.conf b/testing/tests/req-pkcs10/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/req-pkcs10/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-cert/description.txt b/testing/tests/rw-cert/description.txt new file mode 100644 index 000000000..8df6b1c0d --- /dev/null +++ b/testing/tests/rw-cert/description.txt @@ -0,0 +1,6 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. +The authentication is based on <b>X.509 certificates</b>. Upon the successful +establishment of the IPsec tunnel, <b>leftfirewall=yes</b> automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, <b>carol</b> pings the client +<b>alice</b> behind the gateway <b>moon</b>. diff --git a/testing/tests/rw-cert/evaltest.dat b/testing/tests/rw-cert/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-cert/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-cert/posttest.dat b/testing/tests/rw-cert/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-cert/pretest.dat b/testing/tests/rw-cert/pretest.dat new file mode 100644 index 000000000..bd68efb0b --- /dev/null +++ b/testing/tests/rw-cert/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-cert/test.conf b/testing/tests/rw-cert/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-fqdn-named/description.txt b/testing/tests/rw-psk-fqdn-named/description.txt new file mode 100644 index 000000000..adfab2f4d --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/description.txt @@ -0,0 +1,11 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is +based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. +<p> +The significant difference between this scenario and the test +<a href="../rw-psk-fqdn"><b>rw-psk-fqdn</b></a> +is the additional line <b>rightid=@carol.strongswan.org</b> by which gateway +<b>moon</b> restricts the roadwarrior connection to host <b>carol</b>. +</p> diff --git a/testing/tests/rw-psk-fqdn-named/evaltest.dat b/testing/tests/rw-psk-fqdn-named/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..da5e198a8 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftid=@carol.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..db3884e57 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..c32dfaf9b --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw-carol + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + rightid=@carol.strongswan.org + auto=add diff --git a/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..6281340ae --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn-named/posttest.dat b/testing/tests/rw-psk-fqdn-named/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-psk-fqdn-named/pretest.dat b/testing/tests/rw-psk-fqdn-named/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-fqdn-named/test.conf b/testing/tests/rw-psk-fqdn-named/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-psk-fqdn-named/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-fqdn/description.txt b/testing/tests/rw-psk-fqdn/description.txt new file mode 100644 index 000000000..d6c79afb2 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is +based on <b>Preshared Keys</b> (PSK) and <b>Fully Qualified Domain Names</b> (ID_FQDN). +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> behind +the gateway <b>moon</b>. diff --git a/testing/tests/rw-psk-fqdn/evaltest.dat b/testing/tests/rw-psk-fqdn/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-psk-fqdn/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..da5e198a8 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftid=@carol.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..db3884e57 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@carol.strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..9a894806c --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..6281340ae --- /dev/null +++ b/testing/tests/rw-psk-fqdn/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-fqdn/posttest.dat b/testing/tests/rw-psk-fqdn/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-psk-fqdn/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-psk-fqdn/pretest.dat b/testing/tests/rw-psk-fqdn/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-fqdn/test.conf b/testing/tests/rw-psk-fqdn/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-psk-fqdn/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-ipv4/description.txt b/testing/tests/rw-psk-ipv4/description.txt new file mode 100644 index 000000000..b3a0bc192 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/description.txt @@ -0,0 +1,5 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. The authentication is +based on <b>Preshared Keys</b> (PSK) and <b>IPv4 addresses</b> (ID_IPV4_ADDR). +<b>firewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel <b>carol</b> pings the client <b>alice</b> +behind the gateway <b>moon</b>. diff --git a/testing/tests/rw-psk-ipv4/evaltest.dat b/testing/tests/rw-psk-ipv4/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/rw-psk-ipv4/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2c0227b7a --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn home + left=PH_IP_CAROL + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..69313b289 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_CAROL PH_IP_MOON : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..a75d4e222 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=secret + leftnexthop=%direct + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..a8e367950 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-ipv4/posttest.dat b/testing/tests/rw-psk-ipv4/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/rw-psk-ipv4/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/rw-psk-ipv4/pretest.dat b/testing/tests/rw-psk-ipv4/pretest.dat new file mode 100644 index 000000000..dbf03f552 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/pretest.dat @@ -0,0 +1,8 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-ipv4/test.conf b/testing/tests/rw-psk-ipv4/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/rw-psk-ipv4/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-no-policy/description.txt b/testing/tests/rw-psk-no-policy/description.txt new file mode 100644 index 000000000..0e359414f --- /dev/null +++ b/testing/tests/rw-psk-no-policy/description.txt @@ -0,0 +1,3 @@ +The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using +<b>PSK</b>-based authentication. Since <b>moon</b> supports <b>RSASIG</b>-based +authentication only, the connection setup fails. diff --git a/testing/tests/rw-psk-no-policy/evaltest.dat b/testing/tests/rw-psk-no-policy/evaltest.dat new file mode 100644 index 000000000..a28377dbd --- /dev/null +++ b/testing/tests/rw-psk-no-policy/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::peer requests PSK authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=PSK::YES +moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO + diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..413eff762 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + authby=secret + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..1b721dc58 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ac63abdc9 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-psk-no-policy/posttest.dat b/testing/tests/rw-psk-no-policy/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/rw-psk-no-policy/pretest.dat b/testing/tests/rw-psk-no-policy/pretest.dat new file mode 100644 index 000000000..3a7804ddd --- /dev/null +++ b/testing/tests/rw-psk-no-policy/pretest.dat @@ -0,0 +1,5 @@ +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-psk-no-policy/test.conf b/testing/tests/rw-psk-no-policy/test.conf new file mode 100644 index 000000000..f622c18b7 --- /dev/null +++ b/testing/tests/rw-psk-no-policy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/rw-psk-rsa-mixed/description.txt b/testing/tests/rw-psk-rsa-mixed/description.txt new file mode 100644 index 000000000..b99a8e5b3 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/description.txt @@ -0,0 +1,5 @@ +The roadwarriors <b>carol</b> and <b>dave</b> each set up a connection to gateway <b>moon</b>. +<b>carol</b>'s authentication is based on a Pre-Shared Key (<b>PSK</b>) whereas <b>dave</b>'s +is based on an RSA signature (<b>RSASIG</b>). Gateway <b>moon</b> supports both authentication modes +and automatically selects the correct roadwarrior connection definition based on policy +information gained from pre-parsing the peers' ISAKMP proposal payload. diff --git a/testing/tests/rw-psk-rsa-mixed/evaltest.dat b/testing/tests/rw-psk-rsa-mixed/evaltest.dat new file mode 100644 index 000000000..9e1354121 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/evaltest.dat @@ -0,0 +1,7 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::peer requests PSK authentication::YES +moon::ipsec status::rw-psk.*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::YES +moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::ipsec status::rw-rsasig.*PH_IP_DAVE STATE_QUICK_R2.*IPsec SA established::YES + diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..69e13b538 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + ike=aes128,serpent128,twofish128,3des + +conn home + authby=secret + left=PH_IP_CAROL + leftnexthop=%direct + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..1b721dc58 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b23248b5b --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + +conn rw-rsasig + authby=rsasig + leftcert=moonCert.pem + auto=add + +conn rw-psk + authby=secret + auto=add diff --git a/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..fd33507a7 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +: RSA moonKey.pem diff --git a/testing/tests/rw-psk-rsa-mixed/posttest.dat b/testing/tests/rw-psk-rsa-mixed/posttest.dat new file mode 100644 index 000000000..ed530f6d9 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/rw-psk-rsa-mixed/pretest.dat b/testing/tests/rw-psk-rsa-mixed/pretest.dat new file mode 100644 index 000000000..35797b589 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/pretest.dat @@ -0,0 +1,7 @@ +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/rw-psk-rsa-mixed/test.conf b/testing/tests/rw-psk-rsa-mixed/test.conf new file mode 100644 index 000000000..699b88e88 --- /dev/null +++ b/testing/tests/rw-psk-rsa-mixed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol dave winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/rw-rsa-no-policy/description.txt b/testing/tests/rw-rsa-no-policy/description.txt new file mode 100644 index 000000000..c3336b769 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/description.txt @@ -0,0 +1,3 @@ +The roadwarrior <b>carol</b> wants to set up a connection to gateway <b>moon</b> using +<b>RSASIG</b>-based authentication. Since <b>moon</b> supports <b>PSK</b>-based +authentication only, the connection setup fails. diff --git a/testing/tests/rw-rsa-no-policy/evaltest.dat b/testing/tests/rw-rsa-no-policy/evaltest.dat new file mode 100644 index 000000000..188b7bbb5 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::NO +moon::cat /var/log/auth.log::peer requests RSASIG authentication::YES +moon::cat /var/log/auth.log::but no connection has been authorized with policy=RSASIG::YES +moon::ipsec status::*PH_IP_CAROL STATE_QUICK_R2.*IPsec SA established::NO + diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..b9318c058 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw-psk + authby=secret + left=PH_IP_MOON + leftnexthop=%direct + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e8c151f05 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/rw-rsa-no-policy/posttest.dat b/testing/tests/rw-rsa-no-policy/posttest.dat new file mode 100644 index 000000000..c6d6235f9 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/posttest.dat @@ -0,0 +1,2 @@ +moon::ipsec stop +carol::ipsec stop diff --git a/testing/tests/rw-rsa-no-policy/pretest.dat b/testing/tests/rw-rsa-no-policy/pretest.dat new file mode 100644 index 000000000..0d2a0dd1f --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/pretest.dat @@ -0,0 +1,5 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/rw-rsa-no-policy/test.conf b/testing/tests/rw-rsa-no-policy/test.conf new file mode 100644 index 000000000..f622c18b7 --- /dev/null +++ b/testing/tests/rw-rsa-no-policy/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/self-signed/description.txt b/testing/tests/self-signed/description.txt new file mode 100644 index 000000000..2d7bfc2bf --- /dev/null +++ b/testing/tests/self-signed/description.txt @@ -0,0 +1,8 @@ +Roadwarrior <b>carol</b> and gateway <b>moon</b> each generate a +PKCS#1 RSA private key and a self-signed X.509 certificate +using the <b>ipsec scepclient</b> function. Because the UML testing +environment does not offer enough entropy, the non-blocking /dev/urandom +device is used in place of /dev/random for generating the random primes. +<p> +The self-signed certificates are then distributed to the peers via scp +and are used to set up a road warrior connection initiated by <b>carol</b> diff --git a/testing/tests/self-signed/evaltest.dat b/testing/tests/self-signed/evaltest.dat new file mode 100644 index 000000000..f190d7066 --- /dev/null +++ b/testing/tests/self-signed/evaltest.dat @@ -0,0 +1,7 @@ +carol::cat /var/log/auth.log::we have a cert but are not sending it::YES +moon::cat /var/log/auth.log::we have a cert but are not sending it::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.conf b/testing/tests/self-signed/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..fcf7a1754 --- /dev/null +++ b/testing/tests/self-signed/hosts/carol/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=selfCert.der + leftsendcert=never + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=peerCert.der + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets b/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..167d743df --- /dev/null +++ b/testing/tests/self-signed/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA myKey.der diff --git a/testing/tests/self-signed/hosts/moon/etc/init.d/iptables b/testing/tests/self-signed/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..13ad3063f --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/init.d/iptables @@ -0,0 +1,78 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A INPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.conf b/testing/tests/self-signed/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..7d7f42b06 --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=0 + strictcrlpolicy=no + nocrsend=yes + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn carol + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsendcert=never + leftfirewall=yes + leftsubnet=10.1.0.0/16 + right=%any + rightcert=carolCert.der + auto=add + diff --git a/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets b/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..b9ec17dbc --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.der diff --git a/testing/tests/self-signed/hosts/moon/etc/scepclient.conf b/testing/tests/self-signed/hosts/moon/etc/scepclient.conf new file mode 100644 index 000000000..b84f3e131 --- /dev/null +++ b/testing/tests/self-signed/hosts/moon/etc/scepclient.conf @@ -0,0 +1,6 @@ +--debug-control +--keylength 2032 +--days 1460 +--subjectAltName dns=moon.strongswan.org +--out pkcs1=moonKey.der +--out cert-self=moonCert.der diff --git a/testing/tests/self-signed/posttest.dat b/testing/tests/self-signed/posttest.dat new file mode 100644 index 000000000..52b48b9ef --- /dev/null +++ b/testing/tests/self-signed/posttest.dat @@ -0,0 +1,10 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* diff --git a/testing/tests/self-signed/pretest.dat b/testing/tests/self-signed/pretest.dat new file mode 100644 index 000000000..a7cddf677 --- /dev/null +++ b/testing/tests/self-signed/pretest.dat @@ -0,0 +1,17 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::rm /etc/ipsec.d/private/* +carol::rm /etc/ipsec.d/certs/* +carol::rm /etc/ipsec.d/cacerts/* +carol::ipsec scepclient --out pkcs1 --out cert-self +moon::rm /etc/ipsec.d/private/* +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/scepclient.conf +moon::ipsec scepclient --dn \"C=CH, O=Linux strongSwan, CN=moon.strongswan.org\" --optionsfrom /etc/scepclient.conf +moon::scp carol:/etc/ipsec.d/certs/selfCert.der /etc/ipsec.d/certs/carolCert.der +moon::scp /etc/ipsec.d/certs/moonCert.der carol:/etc/ipsec.d/certs/peerCert.der +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/self-signed/test.conf b/testing/tests/self-signed/test.conf new file mode 100644 index 000000000..0baa48d90 --- /dev/null +++ b/testing/tests/self-signed/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/starter-also-loop/description.txt b/testing/tests/starter-also-loop/description.txt new file mode 100644 index 000000000..7451f4e12 --- /dev/null +++ b/testing/tests/starter-also-loop/description.txt @@ -0,0 +1,4 @@ +This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but +uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define +the connections in a modular form. A closed also loop created by including +<b>conn host-host</b> in <b>conn moon</b> is successfully detected. diff --git a/testing/tests/starter-also-loop/evaltest.dat b/testing/tests/starter-also-loop/evaltest.dat new file mode 100644 index 000000000..161772f8e --- /dev/null +++ b/testing/tests/starter-also-loop/evaltest.dat @@ -0,0 +1,3 @@ +moon::cat /var/log/auth.log::detected also loop::YES +moon::cat /var/log/auth.log::errors in config::YES + diff --git a/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf b/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e1d210253 --- /dev/null +++ b/testing/tests/starter-also-loop/hosts/moon/etc/ipsec.conf @@ -0,0 +1,48 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + also=host-host + also=moon-net + also=sun-net + +conn host-host + also=moon + also=sun + auto=add + +conn rw + right=%any + also=moon + also=moon-net + auto=add + +conn moon + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + also=host-host + +conn moon-net + leftsubnet=10.1.0.0/16 + +conn sun + right=192.168.0.2 + rightid=@sun.strongswan.org + +conn sun-net + rightsubnet=10.2.0.0/16 diff --git a/testing/tests/starter-also-loop/posttest.dat b/testing/tests/starter-also-loop/posttest.dat new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/testing/tests/starter-also-loop/posttest.dat diff --git a/testing/tests/starter-also-loop/pretest.dat b/testing/tests/starter-also-loop/pretest.dat new file mode 100644 index 000000000..aa46124dc --- /dev/null +++ b/testing/tests/starter-also-loop/pretest.dat @@ -0,0 +1 @@ +moon::ipsec start --debug-all diff --git a/testing/tests/starter-also-loop/test.conf b/testing/tests/starter-also-loop/test.conf new file mode 100644 index 000000000..e7735308f --- /dev/null +++ b/testing/tests/starter-also-loop/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon" diff --git a/testing/tests/starter-also/description.txt b/testing/tests/starter-also/description.txt new file mode 100644 index 000000000..3d4ff7dbf --- /dev/null +++ b/testing/tests/starter-also/description.txt @@ -0,0 +1,3 @@ +This scenario is the same as test <b><a href="../rw-cert">rw-cert</a></b> but +uses the <b>also</b> parameter in <b>moon</b>'s ipsec.conf in order to define +the connections in a modular form. diff --git a/testing/tests/starter-also/evaltest.dat b/testing/tests/starter-also/evaltest.dat new file mode 100644 index 000000000..c7657801e --- /dev/null +++ b/testing/tests/starter-also/evaltest.dat @@ -0,0 +1,5 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES diff --git a/testing/tests/starter-also/hosts/moon/etc/ipsec.conf b/testing/tests/starter-also/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..74d009cfa --- /dev/null +++ b/testing/tests/starter-also/hosts/moon/etc/ipsec.conf @@ -0,0 +1,47 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn net-net + also=host-host + also=moon-net + also=sun-net + +conn host-host + also=moon + also=sun + auto=add + +conn rw + right=%any + also=moon + also=moon-net + auto=add + +conn moon + left=192.168.0.1 + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn moon-net + leftsubnet=10.1.0.0/16 + +conn sun + right=192.168.0.2 + rightid=@sun.strongswan.org + +conn sun-net + rightsubnet=10.2.0.0/16 diff --git a/testing/tests/starter-also/posttest.dat b/testing/tests/starter-also/posttest.dat new file mode 100644 index 000000000..26848212b --- /dev/null +++ b/testing/tests/starter-also/posttest.dat @@ -0,0 +1,6 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/starter-also/pretest.dat b/testing/tests/starter-also/pretest.dat new file mode 100644 index 000000000..4f96e61df --- /dev/null +++ b/testing/tests/starter-also/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start --debug-all +sleep 2 +carol::ipsec up home diff --git a/testing/tests/starter-also/test.conf b/testing/tests/starter-also/test.conf new file mode 100644 index 000000000..9cd583b16 --- /dev/null +++ b/testing/tests/starter-also/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/starter-includes/description.txt b/testing/tests/starter-includes/description.txt new file mode 100644 index 000000000..6a05c0cca --- /dev/null +++ b/testing/tests/starter-includes/description.txt @@ -0,0 +1,6 @@ +This test is based on the <a href="../mode-config">mode-config</a> +scenario and demonstrates the multiple use of the <b>include</b> +parameter in IPsec configuration files. At the top level <b>/etc/ipsec.conf</b> +defines the config setup section and includes <b>/etc/ipsec.connections</b> +which in turn includes <b>/etc/ipsec.host</b> and <b>/etc/ipsec.peers/*</b> +thereby showing the use of wildcards in path definitions. diff --git a/testing/tests/starter-includes/evaltest.dat b/testing/tests/starter-includes/evaltest.dat new file mode 100644 index 000000000..be8ca6ef5 --- /dev/null +++ b/testing/tests/starter-includes/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::ipsec status::rw-carol.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::rw-dave.*STATE_QUICK_R2.*IPsec SA established::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: icmp::YES diff --git a/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf b/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..598997b45 --- /dev/null +++ b/testing/tests/starter-includes/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf b/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..da601389c --- /dev/null +++ b/testing/tests/starter-includes/hosts/dave/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftsourceip=%modeconfig + leftnexthop=%direct + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf b/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..aa9116252 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.conf @@ -0,0 +1,10 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +include /etc/ipsec.connections diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections b/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections new file mode 100644 index 000000000..7cd938628 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.connections @@ -0,0 +1,12 @@ +# /etc/ipsec.connections - connection definitions + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +include /etc/ipsec.host + +include /etc/ipsec.peers/* + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.host b/testing/tests/starter-includes/hosts/moon/etc/ipsec.host new file mode 100755 index 000000000..e84e5cdc6 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.host @@ -0,0 +1,11 @@ +# /etc/ipsec.host - my host configuration + +conn %default + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftsourceip=PH_IP1_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol new file mode 100644 index 000000000..9212a9e96 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.carol @@ -0,0 +1,8 @@ +# /etc/ipsec.peers/ipsec.carol - connection from carol + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP1_CAROL + auto=add + diff --git a/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave new file mode 100644 index 000000000..482d15a21 --- /dev/null +++ b/testing/tests/starter-includes/hosts/moon/etc/ipsec.peers/ipsec.dave @@ -0,0 +1,8 @@ +# /etc/ipsec.peers/ipsec.dave - connection from dave + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP1_DAVE + auto=add + diff --git a/testing/tests/starter-includes/posttest.dat b/testing/tests/starter-includes/posttest.dat new file mode 100644 index 000000000..121aa8aea --- /dev/null +++ b/testing/tests/starter-includes/posttest.dat @@ -0,0 +1,13 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +dave::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 +dave::ip addr del PH_IP1_DAVE/32 dev eth0 +moon::rm /etc/ipsec.connections /etc/ipsec.host +moon::rm -r /etc/ipsec.peers diff --git a/testing/tests/starter-includes/pretest.dat b/testing/tests/starter-includes/pretest.dat new file mode 100644 index 000000000..0af79a6d2 --- /dev/null +++ b/testing/tests/starter-includes/pretest.dat @@ -0,0 +1,10 @@ +moon::cat /etc/ipsec.connections /etc/ipsec.host /etc/ipsec.peers/* +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +dave::ipsec start +moon::ipsec start --debug-all +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/starter-includes/test.conf b/testing/tests/starter-includes/test.conf new file mode 100644 index 000000000..1a8f2a4e0 --- /dev/null +++ b/testing/tests/starter-includes/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/virtual-ip-swapped/description.txt b/testing/tests/virtual-ip-swapped/description.txt new file mode 100644 index 000000000..230906c5d --- /dev/null +++ b/testing/tests/virtual-ip-swapped/description.txt @@ -0,0 +1,3 @@ +Same scenario as test <a href="../virtual-ip/"><b>virtual-ip</b></a> but with +swapped end definitions: <b>right</b> denotes the <b>local</b> side whereas +<b>left</b> stands for the <b>remote</b> peer. diff --git a/testing/tests/virtual-ip-swapped/evaltest.dat b/testing/tests/virtual-ip-swapped/evaltest.dat new file mode 100644 index 000000000..5160a340f --- /dev/null +++ b/testing/tests/virtual-ip-swapped/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES diff --git a/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf b/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..0e239b707 --- /dev/null +++ b/testing/tests/virtual-ip-swapped/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + right=PH_IP_CAROL + rightsourceip=PH_IP1_CAROL + rightnexthop=%direct + rightcert=carolCert.pem + rightid=carol@strongswan.org + rightfirewall=yes + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf b/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..db6effbac --- /dev/null +++ b/testing/tests/virtual-ip-swapped/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + right=PH_IP_MOON + rightsourceip=PH_IP1_MOON + rightnexthop=%direct + rightcert=moonCert.pem + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightfirewall=yes + leftsubnetwithin=10.3.0.0/16 + left=%any + auto=add diff --git a/testing/tests/virtual-ip-swapped/posttest.dat b/testing/tests/virtual-ip-swapped/posttest.dat new file mode 100644 index 000000000..ac5c7dd82 --- /dev/null +++ b/testing/tests/virtual-ip-swapped/posttest.dat @@ -0,0 +1,7 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 diff --git a/testing/tests/virtual-ip-swapped/pretest.dat b/testing/tests/virtual-ip-swapped/pretest.dat new file mode 100644 index 000000000..4fe0ee90b --- /dev/null +++ b/testing/tests/virtual-ip-swapped/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/virtual-ip-swapped/test.conf b/testing/tests/virtual-ip-swapped/test.conf new file mode 100644 index 000000000..f106524e2 --- /dev/null +++ b/testing/tests/virtual-ip-swapped/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/virtual-ip/description.txt b/testing/tests/virtual-ip/description.txt new file mode 100644 index 000000000..4ec6021ea --- /dev/null +++ b/testing/tests/virtual-ip/description.txt @@ -0,0 +1,8 @@ +The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>. Both <b>carol</b> +and <b>moon</b> define a static virtual IP using the <b>leftsourceip</b> parameter. +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass +the tunneled traffic. In order to test the tunnel, <b>carol</b> pings the client <b>alice</b> +behind the gateway <b>moon</b> as well as the inner interface of the gateway. The source IP +of the two pings will be the virtual IP <b>carol1</b>. Also thanks to its virtual IP <b>moon1</b> +the gateway <b>moon</b> is able to ping <b>carol1</b> by using the existing subnet-subnet IPsec +tunnel. diff --git a/testing/tests/virtual-ip/evaltest.dat b/testing/tests/virtual-ip/evaltest.dat new file mode 100644 index 000000000..5160a340f --- /dev/null +++ b/testing/tests/virtual-ip/evaltest.dat @@ -0,0 +1,9 @@ +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +moon::ping -c 1 PH_IP1_CAROL::64 bytes from PH_IP1_CAROL: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: icmp::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: icmp::YES diff --git a/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf b/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..2f1170a6b --- /dev/null +++ b/testing/tests/virtual-ip/hosts/carol/etc/ipsec.conf @@ -0,0 +1,30 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftsourceip=PH_IP1_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add + + + + diff --git a/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..1cd8aab25 --- /dev/null +++ b/testing/tests/virtual-ip/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=PH_IP_MOON + leftsourceip=PH_IP1_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + rightsubnetwithin=10.3.0.0/16 + right=%any + auto=add diff --git a/testing/tests/virtual-ip/posttest.dat b/testing/tests/virtual-ip/posttest.dat new file mode 100644 index 000000000..ac5c7dd82 --- /dev/null +++ b/testing/tests/virtual-ip/posttest.dat @@ -0,0 +1,7 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP1_CAROL/32 dev eth0 diff --git a/testing/tests/virtual-ip/pretest.dat b/testing/tests/virtual-ip/pretest.dat new file mode 100644 index 000000000..4fe0ee90b --- /dev/null +++ b/testing/tests/virtual-ip/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/virtual-ip/test.conf b/testing/tests/virtual-ip/test.conf new file mode 100644 index 000000000..f106524e2 --- /dev/null +++ b/testing/tests/virtual-ip/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/wildcards/description.txt b/testing/tests/wildcards/description.txt new file mode 100644 index 000000000..e485f7066 --- /dev/null +++ b/testing/tests/wildcards/description.txt @@ -0,0 +1,8 @@ +The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and +<b>venus</b> by means of wildcard parameters that must match the subject +<b>Distinguished Name</b> contained in the peer's X.509 certificate. Access to +<b>alice</b> is granted for DNs containing a OU=Research field whereas <b>venus</b> +can only be reached with a DN containing OU=Accounting. The roadwarriors +<b>carol</b> and <b>dave</b> belong to the departments 'Research' and 'Accounting', +respectively. Therefore <b>carol</b> can access <b>alice</b> and <b>dave</b> +can reach <b>venus</b>. diff --git a/testing/tests/wildcards/evaltest.dat b/testing/tests/wildcards/evaltest.dat new file mode 100644 index 000000000..cbc94b75a --- /dev/null +++ b/testing/tests/wildcards/evaltest.dat @@ -0,0 +1,8 @@ +carol::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::venus.*PH_IP_CAROL.*STATE_QUICK_R2.*IPsec SA established::NO +dave::ipsec status::venus.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::venus.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::YES +dave::ipsec status::alice.*STATE_QUICK_I2.*IPsec SA established::NO +moon::ipsec status::alice.*PH_IP_DAVE.*STATE_QUICK_R2.*IPsec SA established::NO diff --git a/testing/tests/wildcards/hosts/carol/etc/ipsec.conf b/testing/tests/wildcards/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..de179c565 --- /dev/null +++ b/testing/tests/wildcards/hosts/carol/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/wildcards/hosts/dave/etc/ipsec.conf b/testing/tests/wildcards/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..2fb6a301e --- /dev/null +++ b/testing/tests/wildcards/hosts/dave/etc/ipsec.conf @@ -0,0 +1,32 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_DAVE + leftnexthop=%direct + leftcert=daveCert.pem + right=PH_IP_MOON + rightid=@moon.strongswan.org + +conn alice + rightsubnet=PH_IP_ALICE/32 + auto=add + +conn venus + rightsubnet=PH_IP_VENUS/32 + auto=add + + + + + diff --git a/testing/tests/wildcards/hosts/moon/etc/ipsec.conf b/testing/tests/wildcards/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..ee7bc8115 --- /dev/null +++ b/testing/tests/wildcards/hosts/moon/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + +conn alice + leftsubnet=PH_IP_ALICE/32 + right=%any + rightid="C=CH, O=Linux strongSwan, OU=Research, CN=*" + auto=add + +conn venus + leftsubnet=PH_IP_VENUS/32 + right=%any + rightid="C=CH, O=Linux strongSwan, OU=Accounting, CN=*" + auto=add + diff --git a/testing/tests/wildcards/posttest.dat b/testing/tests/wildcards/posttest.dat new file mode 100644 index 000000000..ed530f6d9 --- /dev/null +++ b/testing/tests/wildcards/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop diff --git a/testing/tests/wildcards/pretest.dat b/testing/tests/wildcards/pretest.dat new file mode 100644 index 000000000..67c50c2ef --- /dev/null +++ b/testing/tests/wildcards/pretest.dat @@ -0,0 +1,9 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up alice +carol::ipsec up venus +dave::ipsec up venus +dave::ipsec up alice diff --git a/testing/tests/wildcards/test.conf b/testing/tests/wildcards/test.conf new file mode 100644 index 000000000..08e5cc145 --- /dev/null +++ b/testing/tests/wildcards/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/wlan/description.txt b/testing/tests/wlan/description.txt new file mode 100644 index 000000000..e018148bd --- /dev/null +++ b/testing/tests/wlan/description.txt @@ -0,0 +1,15 @@ +The WLAN clients <b>alice</b> and <b>venus</b> secure all their wireless traffic +by setting up an IPsec tunnel to gateway <b>moon</b>. The VPN network mask is +<b>0.0.0.0/0</b>. Traffic with destination outside the protected 10.1.0.0/10 network +is NAT-ed by router <b>moon</b>. The IPsec connections are tested by pings from +<b>alice</b> to <b>venus</b> tunneled via <b>moon</b> and to both the internal +and external interface of gateway <b>moon</b>. Access to the gateway is +set up by <b>lefthostaccess=yes</b> in conjunction with <b>leftfirewall=yes</b>. +At last <b>alice</b> and <b>venus</b> ping the external host <b>sun</b> via the NAT router. +<p> +The host system controls the UML instances <b>alice</b> and <b>carol</b> via +ssh commands sent over the virtual <b>tap1</b> interface. In order to keep up +the control flow in the presence of the all-encompassing 0.0.0.0/0 tunnel +to the gateway <b>moon</b> an auxiliary <b>passthrough</b> eroute restricted +to the ssh port is statically set up by <b>conn system</b>. + diff --git a/testing/tests/wlan/evaltest.dat b/testing/tests/wlan/evaltest.dat new file mode 100644 index 000000000..ccf5d0c8a --- /dev/null +++ b/testing/tests/wlan/evaltest.dat @@ -0,0 +1,11 @@ +alice::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES +venus::ipsec status::wlan.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::alice.*STATE_QUICK_R2.*IPsec SA established::YES +moon::ipsec status::venus.*STATE_QUICK_R2.*IPsec SA established::YES +alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +alice::ping -c 1 PH_IP1_MOON::64 bytes from PH_IP1_MOON: icmp_seq=1::YES +alice::ping -c 1 PH_IP_MOON::64 bytes from PH_IP_MOON: icmp_seq=1::YES +alice::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +venus::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_seq=1::YES +moon::tcpdump::ESP::YES +sun::tcpdump::icmp::YES diff --git a/testing/tests/wlan/hosts/alice/etc/init.d/iptables b/testing/tests/wlan/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..86a76e2db --- /dev/null +++ b/testing/tests/wlan/hosts/alice/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/wlan/hosts/alice/etc/ipsec.conf b/testing/tests/wlan/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..a658e4fe8 --- /dev/null +++ b/testing/tests/wlan/hosts/alice/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn system + left=PH_IP_ALICE + leftprotoport=tcp/ssh + leftnexthop=%direct + authby=never + type=passthrough + right=10.1.0.254 + rightprotoport=tcp + auto=route + +conn wlan + left=PH_IP_ALICE + leftnexthop=%direct + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + right=PH_IP1_MOON + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + diff --git a/testing/tests/wlan/hosts/moon/etc/init.d/iptables b/testing/tests/wlan/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..e95ef44c6 --- /dev/null +++ b/testing/tests/wlan/hosts/moon/etc/init.d/iptables @@ -0,0 +1,82 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth1 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth1 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A FORWARD -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # enable SNAT + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p icmp -j SNAT --to-source PH_IP_MOON + iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source PH_IP_MOON:2000-2100 + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/wlan/hosts/moon/etc/ipsec.conf b/testing/tests/wlan/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..f873479e8 --- /dev/null +++ b/testing/tests/wlan/hosts/moon/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn alice + right=PH_IP_ALICE + rightid=alice@strongswan.org + also=wlan + auto=add + +conn venus + right=PH_IP_VENUS + rightid=@venus.strongswan.org + also=wlan + auto=add + +conn wlan + left=PH_IP1_MOON + leftnexthop=%direct + leftsubnet=0.0.0.0/0 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + lefthostaccess=yes + diff --git a/testing/tests/wlan/hosts/venus/etc/init.d/iptables b/testing/tests/wlan/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..6f95e7576 --- /dev/null +++ b/testing/tests/wlan/hosts/venus/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/wlan/hosts/venus/etc/ipsec.conf b/testing/tests/wlan/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..742c1dbce --- /dev/null +++ b/testing/tests/wlan/hosts/venus/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + nat_traversal=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn system + left=PH_IP_VENUS + leftprotoport=tcp/ssh + leftnexthop=%direct + authby=never + type=passthrough + right=10.1.0.254 + rightprotoport=tcp + auto=route + +conn wlan + left=PH_IP_VENUS + leftnexthop=%direct + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + right=PH_IP1_MOON + rightid=@moon.strongswan.org + rightsubnet=0.0.0.0/0 + auto=add + diff --git a/testing/tests/wlan/posttest.dat b/testing/tests/wlan/posttest.dat new file mode 100644 index 000000000..cc873d1ff --- /dev/null +++ b/testing/tests/wlan/posttest.dat @@ -0,0 +1,10 @@ +alice::iptables -v -n -L +venus::iptables -v -n -L +moon::iptables -t nat -v -n -L POSTROUTING +moon::iptables -v -n -L +moon::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +moon::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/wlan/pretest.dat b/testing/tests/wlan/pretest.dat new file mode 100644 index 000000000..de4a6ad31 --- /dev/null +++ b/testing/tests/wlan/pretest.dat @@ -0,0 +1,11 @@ +moon::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +alice::ipsec start +venus::ipsec start +alice::sleep 2 +alice::ipsec up wlan +venus::sleep 2 +venus::ipsec up wlan +venus::sleep 2 diff --git a/testing/tests/wlan/test.conf b/testing/tests/wlan/test.conf new file mode 100644 index 000000000..b141c4f1b --- /dev/null +++ b/testing/tests/wlan/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon:eth1 sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus moon" |