From aa0f5b38aec14428b4b80e06f90ff781f8bca5f1 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 22 May 2006 05:12:18 +0000 Subject: Import initial strongswan 2.7.0 version into SVN. --- testing/tests/crl-ldap/description.txt | 9 +++ testing/tests/crl-ldap/evaltest.dat | 16 +++++ .../tests/crl-ldap/hosts/carol/etc/init.d/iptables | 73 ++++++++++++++++++++ testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf | 31 +++++++++ .../5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl | Bin 0 -> 560 bytes .../tests/crl-ldap/hosts/moon/etc/init.d/iptables | 76 +++++++++++++++++++++ testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf | 42 ++++++++++++ .../5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl | Bin 0 -> 560 bytes testing/tests/crl-ldap/posttest.dat | 9 +++ testing/tests/crl-ldap/pretest.dat | 7 ++ testing/tests/crl-ldap/test.conf | 21 ++++++ 11 files changed, 284 insertions(+) create mode 100644 testing/tests/crl-ldap/description.txt create mode 100644 testing/tests/crl-ldap/evaltest.dat create mode 100755 testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables create mode 100755 testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl create mode 100755 testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl create mode 100644 testing/tests/crl-ldap/posttest.dat create mode 100644 testing/tests/crl-ldap/pretest.dat create mode 100644 testing/tests/crl-ldap/test.conf (limited to 'testing/tests/crl-ldap') diff --git a/testing/tests/crl-ldap/description.txt b/testing/tests/crl-ldap/description.txt new file mode 100644 index 000000000..02dc0cbbe --- /dev/null +++ b/testing/tests/crl-ldap/description.txt @@ -0,0 +1,9 @@ +By setting strictcrlpolicy=yes a strict CRL policy is enforced on +both roadwarrior carol and gateway moon. Thus when carol initiates +the connection and only an expired CRL cache file in /etc/ipsec.d/crls is +available, the Main Mode negotiation fails. A http fetch for an updated CRL fails +because the web server is currently not reachable. Thus the second Main Mode negotiation +fails, too. Finally an ldap fetch to get the CRL from the LDAP server winnetou +is triggered. When the third Main Mode trial comes around, the fetched CRL has become +available and the IKE negotiation completes. The new CRL is again cached locally as a +file in /etc/ipsec.d/crls due to the cachecrls=yes option. diff --git a/testing/tests/crl-ldap/evaltest.dat b/testing/tests/crl-ldap/evaltest.dat new file mode 100644 index 000000000..2b98e086a --- /dev/null +++ b/testing/tests/crl-ldap/evaltest.dat @@ -0,0 +1,16 @@ +moon::cat /var/log/auth.log::loaded crl file::YES +carol::cat /var/log/auth.log::loaded crl file::YES +moon::cat /var/log/auth.log::crl update is overdue::YES +carol::cat /var/log/auth.log::crl update is overdue::YES +moon::cat /var/log/auth.log::X.509 certificate rejected::YES +carol::cat /var/log/auth.log::X.509 certificate rejected::YES +moon::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +carol::cat /var/log/auth.log::ignoring informational payload, type INVALID_KEY_INFORMATION::YES +moon::cat /var/log/auth.log::Trying LDAP URL::YES +carol::cat /var/log/auth.log::Trying LDAP URL::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::cat /var/log/auth.log::written crl file::YES +carol::cat /var/log/auth.log::written crl file::YES +moon::ipsec listcrls:: ok::YES +carol::ipsec listcrls:: ok::YES diff --git a/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables new file mode 100755 index 000000000..571459bae --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/init.d/iptables @@ -0,0 +1,73 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..669a47d06 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,31 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + +conn home + left=PH_IP_CAROL + leftnexthop=%direct + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl new file mode 100644 index 000000000..75e8b0959 Binary files /dev/null and b/testing/tests/crl-ldap/hosts/carol/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl differ diff --git a/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..8de514a2e --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/init.d/iptables @@ -0,0 +1,76 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow ldap crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 389 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 389 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d5c0dd163 --- /dev/null +++ b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,42 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +version 2.0 # conforms to second version of ipsec.conf specification + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=yes + cachecrls=yes + +ca strongswan + cacert=strongswanCert.pem + crluri="ldap://ldap.strongswan.org/cn=strongSwan Root CA, o=Linux strongSwan, c=CH?certificateRevocationList" + auto=add + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=2 + left=PH_IP_MOON + leftnexthop=%direct + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn net-net + leftsubnet=10.1.0.0/16 + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightid=@sun.strongswan.org + auto=add + +conn host-host + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add + +conn rw + leftsubnet=10.1.0.0/16 + right=%any + auto=add diff --git a/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl new file mode 100644 index 000000000..75e8b0959 Binary files /dev/null and b/testing/tests/crl-ldap/hosts/moon/etc/ipsec.d/crls/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl differ diff --git a/testing/tests/crl-ldap/posttest.dat b/testing/tests/crl-ldap/posttest.dat new file mode 100644 index 000000000..04f762331 --- /dev/null +++ b/testing/tests/crl-ldap/posttest.dat @@ -0,0 +1,9 @@ +moon::iptables -v -n -L +carol::iptables -v -n -L +moon::ipsec stop +carol::ipsec stop +winnetou::/etc/init.d/slapd stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/crls/* +carol::rm /etc/ipsec.d/crls/* diff --git a/testing/tests/crl-ldap/pretest.dat b/testing/tests/crl-ldap/pretest.dat new file mode 100644 index 000000000..64fae2a16 --- /dev/null +++ b/testing/tests/crl-ldap/pretest.dat @@ -0,0 +1,7 @@ +winnetou::/etc/init.d/slapd start +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/crl-ldap/test.conf b/testing/tests/crl-ldap/test.conf new file mode 100644 index 000000000..2b240d895 --- /dev/null +++ b/testing/tests/crl-ldap/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" -- cgit v1.2.3